SECRET SHARING FOR COLOR IMAGES
by
Mohsen Heidarinejad
A thesis submitted in conformity with the requirements for the degree of Master of Applied Science Graduate Department of Electrical and Computer Engineering University of Toronto
Copyright © 2008 by Mohsen Heidarinejad Library and Bibliotheque et 1*1 Archives Canada Archives Canada Published Heritage Direction du Branch Patrimoine de I'edition
395 Wellington Street 395, rue Wellington Ottawa ON K1A0N4 Ottawa ON K1A0N4 Canada Canada
Your file Votre reference ISBN: 978-0-494-44991-2 Our file Notre reference ISBN: 978-0-494-44991-2
NOTICE: AVIS: The author has granted a non L'auteur a accorde une licence non exclusive exclusive license allowing Library permettant a la Bibliotheque et Archives and Archives Canada to reproduce, Canada de reproduire, publier, archiver, publish, archive, preserve, conserve, sauvegarder, conserver, transmettre au public communicate to the public by par telecommunication ou par Plntemet, prefer, telecommunication or on the Internet, distribuer et vendre des theses partout dans loan, distribute and sell theses le monde, a des fins commerciales ou autres, worldwide, for commercial or non sur support microforme, papier, electronique commercial purposes, in microform, et/ou autres formats. paper, electronic and/or any other formats.
The author retains copyright L'auteur conserve la propriete du droit d'auteur ownership and moral rights in et des droits moraux qui protege cette these. this thesis. Neither the thesis Ni la these ni des extraits substantiels de nor substantial extracts from it celle-ci ne doivent etre imprimes ou autrement may be printed or otherwise reproduits sans son autorisation. reproduced without the author's permission.
In compliance with the Canadian Conformement a la loi canadienne Privacy Act some supporting sur la protection de la vie privee, forms may have been removed quelques formulaires secondaires from this thesis. ont ete enleves de cette these.
While these forms may be included Bien que ces formulaires in the document page count, aient inclus dans la pagination, their removal does not represent il n'y aura aucun contenu manquant. any loss of content from the thesis. Canada Abstract
Secret Sharing For Color Images
Mohsen Heidarinejad
Master of Applied Science
Graduate Department of Electrical and Computer Engineering
University of Toronto
2008
Digital data security and integrity preservation are important issues in modern com munication systems. The confidentiality of the transmitted visual data over digital com munication networks is usually obtained by encryption. However, the main disadvantage of the encryption frameworks arises from their dependency on the utilized key. In this thesis, we will investigate practical methodologies to solve these challenges regarding secure visual data transmission over communication channels.
Secret sharing schemes have been employed for storage and transmission of visual data. The primary motivation of this work is to propose novel secret sharing schemes for color images which can be considered as cost effective candidates for transmission of color images over communication channels. We present Secret Sharing for Visual Data (SSVD) schemes which are followed by algebraic operations to preserve the input image content.
They are capable of transmission of color images over bandwidth limited communication channels.
n Acknowledgements
First and foremost, I would like to thank my supervisor Prof. Konstantinos N. Pla- taniotis for his detailed and constructive comments. His wide knowledge and vision on signal processing and mathematics have been of great value for me. His understanding, encouraging and personal guidance have provided a good basis for my graduate research career. He has not only been an outstanding teacher and advisor, but also a great friend.
His work ethics and dedication to ensuring the success of his students are certainly ex ceptional. My deepest gratitude goes to him for always believing in my work.
I would also like to thank him and department of Electrical and Computer Engineering for their financial support. My graduate study at University of Toronto has been a really rewarding experience. Thank you to my defence committee, Prof. Hatzinakos, Prof.
Valaee, and the chair Prof. Gulak for taking the time to serve and provide useful insight.
This work would have been impossible without my friends who helped me weather the storm. Specially, I would like to convey my regards to Peyman Razzaghy, Karl Martin,
Hamed Hassani, Mansour Yousefi, Mohammad Shahin Mahanta, Behrouz Khoshnevis,
Amirhossein Shokouh Aghaei and Azadeh Koushki. Their inspiring discussions and valu able suggestions have definitely had a great impact on my work.
As always, I am deeply indebted to my parents, Maryam and Esmaeil and my brothers
Meisam, Milad and Mohammad for their love and support throughout this degree and my life. I would like to thank them for their understanding and unwavering belief in me.
Their contribution to my life is too large to fit on this page.
in Contents
1 Introduction 1
1.1 Need for Security and Integrity of Information 1
1.2 The Importance of Visual Cryptography and Secret Sharing For Visual Data 5
1.3 Key Technical Challenges in Secret Sharing For Visual Data (SSVD) . . 8
1.4 Thesis Contributions 9
1.4.1 SSVD Schemes With No Expansion Factor 10
1.4.2 SSVD Schemes With Reduced Expansion Factor 11
1.5 Thesis Outline 13
2 Preliminaries and Background 15
2.1 RGB Color Space 15
2.2 Permutation 17
2.3 Implementational Issues Regarding Permutation Procedure 20
2.3.1 On Adaptive Generation of Permutation Matrices 20
2.3.2 On Compression of Permutation Matrices 21
2.3.3 On Secure Transmission of Permutation Matrices 22
2.4 Preliminaries 23
2.4.1 Karnaugh Map 24
2.4.2 Bezout's Lemma and Extended Euclidean Algorithm 25
2.4.3 Maximum Distance Separable (MDS) Codes 26
iv 2.5 Chapter Summary 27
3 Prior Works 28
3.1 {k,n} Secret Sharing Scheme 28
3.2 Bit Level Based SSVD Scheme 29
3.2.1 Encryption 31
3.2.2 Decryption 33
3.3 A Review of Prior Works In VSS 34
3.4 Matrix Projection Based VSS Scheme 38
3.4.1 Encryption 38
3.4.2 Decryption 42
3.5 Chapter Summary 44
4 SSVD Schemes With No Expansion 45
4.1 Karnaugh Map Based {2,2} SSVD Schemes 45
4.1.1 Scheme A 46
Encryption 46
Decryption 49
4.1.2 Scheme B 49
Encryption 51
Decryption 52
4.1.3 Input dependent and input independent solutions 56
4.2 Number Theory Based {k, n} SSVD Scheme 57
4.2.1 Encryption of the Permuted Image 58
4.2.2 Decryption of the Permuted Image 60
4.2.3 Number Generation Algorithm 63
4.2.4 Implementational Issues and Analysis 65
On Implementation Using 8-bit Processors 65
v On Sharing of Permutation Matrices 66
On Number Theory and Secret Sharing 67
On Security Analysis 68
On {2,2} SSVD Scheme 72
On the Optimality of the Secret Sharing Scheme 72
4.3 Experimental Results 74
4.4 Chapter Summary 82
5 SSVD Schemes With Reduced Expansion 85
5.1 Algebraic SSVD Scheme For Color Images 85
5.1.1 Encryption 87
5.1.2 Decryption 88
5.1.3 On Pixel Expansion 89
5.2 A Second Generation SSVD Scheme For Color Images 92
5.2.1 Segmentation of the input image 93
5.2.2 Encryption 95
5.2.3 Decryption 96
5.2.4 On Pixel Expansion 97
5.3 Experimental Results 99
5.4 Chapter Summary 104
6 Conclusions 106
6.1 Research Summary 106
6.2 Future Work 108
A Proofs 110
B An Example of Number Generation Algorithm 113
VI Bibliography 114
vn List of Tables
1.1 Comparison of different hash functions 4
4.1 The summary of the notations in the proposed Karnaugh map based scheme B 54 4.2 Summary of schemes implemented for comparison of experimental results 74
5.1 Summary of the schemes implemented for comparison in experimental re sults 100
6.1 Summary of the proposed schemes in this thesis 107
vm List of Figures
1.1 System level diagram of encryption framework 2
1.2 System level diagram of data hiding procedure 5
1.3 General description of secret sharing schemes 6
2.1 Representation of each color in RGB space as a combination of its Red, Green and Blue components 16
2.2 The RGB color model mapped to a cube 17
2.3 Applying permutation on each color channel 19
3.1 Images corresponding to the bit-levels of the color image Lena: (a) k = 8
(b) jfc = 7 (c) k = 6 (d) k = 5 (e) k = 4 (f) k = 3 (g) k = 2 (h) k = 1 . . . 31
3.2 Pseudocode description of the encryption phase of the proposed bit-level based SSVD scheme 33
3.3 Pseudocode description of the decryption phase of the proposed bit-level based SSVD scheme 34
3.4 The proposed bit-level based method {2,2} (tested for a color image): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image 35
3.5 Pseudo-code description of the encryption phase of the proposed SSVD scheme 40
3.6 Pseudocode description of the decryption phase of the proposed SSVD scheme 42
IX 3.7 The proposed SSVD scheme in {2,2} (tested for a color image): (a) Orig inal image (b) Share 1 (c) Share 2 (d) Decoded image 43
4.1 The pseudo-code description of the proposed scheme A 47
4.2 The pseudo-code description of the proposed scheme B 50
4.3 A mapping of minterms on a Karnaugh map 53
4.4 System level diagram of the proposed number theory based SSVD scheme 59
4.5 Pseudocode description of the encryption phase of the proposed number theory based SSVD scheme 61
4.6 Pseudocode description of the decryption phase of the proposed number theory based SSVD scheme 62
4.7 The log2 of the number of possible values of Xj (8) as a function of 7, indicating the security of X; against exhaustive search attack 70
4.8 The proposed Karnaugh map based scheme A (tested for a color image) {2,2} 75
4.9 The proposed Karnaugh map based scheme B (tested for a color image) {2,2} 75
4.10 The proposed number theory based method (tested for a color image) {2,2}. 76
4.11 The proposed number theory based method (tested for a color image) {2,3}. 77
4.12 The method proposed by Bai {2,2} block size= 4 (tested for a color image). 77
4.13 The method proposed by Lukac and Plataniotis (tested for a color image) {2,2} 78
4.14 The proposed number theory based method (tested for a face image) {2,3}. 79
4.15 The proposed number theory based method (tested for an outdoor image) {2,3} 80 4.16 The proposed number theory based method (tested for a surveillance frame image) {2,3} 80
x 4.17 The proposed number theory based method (tested for a scanned docu ment) {2,3} 81 4.18 An example of the effect of permutation in the proposed Karnaugh map based scheme B for the {2,2} scenario 82
5.1 The system level diagram of the proposed algebraic SSVD scheme .... 86 5.2 Pseudocode description of the encryption phase of the proposed algebraic SSVD scheme 88 5.3 Pseudocode description of the decryption phase of the proposed algebraic SSVD scheme 90 5.4 Comparison of expansion factor of our algebraic method and the proposed scheme by Bai. n is the number of participants 92 5.5 System level diagram of the proposed segmentation based SSVD scheme 93
5.6 Pseudocode description of the encryption phase of the proposed segmen tation based scheme 95 5.7 Pseudocode description of the decryption phase of the proposed segmen tation based scheme 96 5.8 Comparison of compression rates of the proposed segmentation based method against the proposed scheme by Bai. n is the number of par ticipants 98 5.9 Comparison of the expansion factor of the proposed segmentation based method against the proposed algebraic scheme, n is the number of partic ipants 99 5.10 The proposed algebraic SSVD scheme {2,2} (tested for a color image). . 101 5.11 The proposed segmentation based SSVD scheme {2,2} (tested for a color image) 101 5.12 The proposed method by Bai {2,2} block size= 4 (tested for a color image). 101 5.13 The proposed algebraic scheme (tested for a color image) {2,3} 102
xi 5.14 The proposed segmentation based scheme (tested for a color image) {2,3}. 103
5.15 The proposed scheme by Bai (tested for a color image) {2,3} 103 5.16 Sharing part of the image {2, 2} in the proposed segmentation based ap proach: (a) Original image (b) Part of the image (c) Share 1 (d) Share 2 (e) Decoded image 104
xn List of Abbreviations
SSVD Secret Sharing for Visual Data VC Visual Cryptography vss Visual Secret Sharing DES Data Encryption Standard AES Advanced Encryption Standard DRM Digital Rights Management MDS Maximum Distance Separable RGB Red Green Blue MSB Most Significant Bit LSB Least Significant Bit
CR Compression Ratio SFCOD Space Filling Curve Ordered Dithering IA Input Agnostic IS Input Specific EFR Expansion Factor Ratio
Xlll List of Symbols
S Input image Sp Permuted image Pi, P2 Permutation matrices Pi, P2 Compressed permutation matrices
th SHP i generated share Pn Set of n participants Pp A subset of participants with t members Spn Reconstructed image using P" G Generator matrix of an MDS code A Associated matrix
AnxC(njt-i) Matrix look-up table X Set of the generated numbers in the number theory scheme Pi ith prime factor in the number theory scheme b Block size m Pixel expansion Sp Rearranged permuted image 7 Number of prime factors less than S Number of possible ways to find Xi
XIV Chapter 1
Introduction
In recent years the trend towards the utilization of cost effective schemes for content transmission through communication channels has been significant. In order to obtain such solutions, many challenging aspects of visual data transmission such as the required bandwidth or the amount of space needed for storage are to be solved [1], [2]. This chapter briefly addresses the available methodologies for achieving security and integrity during processing and transmission of visual data and focuses on a subset of these solutions, namely the so called Secret Sharing for Visual Data (SSVD) or Visual Cryptography
(VC) schemes.
1.1 Need for Security and Integrity of Information
Security and data integrity are of paramount importance in processing visual data. Due to the rapid advance of communication systems and networking technologies, the secure transmission as well as the processing of visual data over networked devices become extremely important [3]. Thus, a subsequent shift of research attention towards the management of content information in such applications has been observed [4].
To preserve content confidentiality, a number of security solutions have been intro duced recently. In general, these solutions usually revolve around the following guidelines
1 CHAPTER 1. INTRODUCTION
Input Encrypted Cipher information ^ input
^
Key Key c=N V\ utilizati
Figure 1.1: System level diagram of encryption framework and principles [5]:
• Confidentiality: The transmitted data should not become available to unauthorized users.
• Authentication: At the destination, the received data should be verified to ensure that they are the actual information sent from the source.
• Integrity: It should be assured that the transmitted data have not been modified during transmission.
• Effective management: Any key or overhead information should be distributed in a cost effective manner.
The common way to achieve content confidentiality is to utilize cryptographic tech niques such as encryption of data using encryption algorithms such as DES (Data Encryp tion Standard) or AES (Advanced Encryption Standard) [6]. An encryption algorithm is a method of transforming a message (visual input data in our case) by means of cryp tographic solutions that guarantee confidentiality or integrity. The role of an encryption algorithm is to protect the confidentiality of the data, by either encrypting the data one block at a time or performing bit by bit encryption [7].
The general diagram of a typical encryption system is depicted in Fig. 1.1. Its CHAPTER 1. INTRODUCTION 3 framework consists of two main blocks, namely cipher and key utilization [8]. In cryp tography, a cipher is an algorithm that performs encryption and decryption. The cipher can be viewed as a code. Cryptographic codes operate by substituting according to a large code-book which transforms a random string of characters or numbers to a word or phrase [9]. The operation of a cipher usually depends on an auxiliary information, commonly labeled as key. The encryption algorithm's operation depends critically on the key uti lization procedure. A key must be selected before using the cipher to encrypt the message (input data). Without knowledge of the key, it should be difficult, if not nearly impossi ble, to decrypt the encrypted actual input information [10].
It is easily understood from the preceding discussion that the main problems with cipher based encryption approaches arise from the dependency on the ( [11]):
• key: In most of the proposed encryption schemes, the key utilized for encryption should be protected against attacks or corruption. Any change or corrupt modifi cation of the key degrades the encryption performance.
• output of the encryption system: The performance of the system depends on the decrypted output. Similar to the key, the output is vulnerable to manipulation, truncation, corruption and alteration.
In other words, the critical vulnerability and disadvantage of cipher based encryption techniques is its built-in single-point-failure [12] which means that the secret information cannot be decrypted if the encryption and decryption keys are lost or the encrypted content is changed or corrupted during transmission. Verifying the information content is equally challenging as preserving integrity of content and key. A common way to authenticate information is to utilize hash functions as a pre-step in the encryption framework [13]. Hash functions are utilized to ( [14]):
• conceal (making it computationally infeasible to recover) input information and CHAPTER 1. INTRODUCTION 4
Table 1.1: Comparison of different hash functions
Name Output size (bits) Maximum message size (bits) Collision
SHA-0 160 264-l Yes
SHA-1 160 264 _ ! by 263 operations
SHA-256 256 264-l None
SHA-384 384 2128 _ x None
SHA-512 512 2128 _ 1 None
produce an input variant suitable for storage
• provide a secure comparison method for information authentication
Over the years, various solutions to realize the requirements of an ideal hash function have been proposed, with varying degrees of success/failure [15]. Currently, the following methodologies are in use: SHA-0, SHA-1, SHA-2 family. These functions all accept a variable-length string of information bits and output a fixed-length hashed value. The bit lengths of the hashed values are as follows, SHA-0: 160 bits, SHA-1: 160 bits, SHA- 256: 256 bits, SHA-384: 384 bits and SHA-512: 512 bits. It should be mentioned that the specific name reflects the number of bits. These hash functions are presented in increasing order of storage and computational complexity. Table 1.1 summarizes the main properties of the mentioned hash functions. All of them are one-way or zero-knowledge functions [16] which reveal no information regarding the input data.
Vulnerabilities of cipher based encryption methodologies and hash collisions demand to seek other approaches to achieve confidentiality and integrity of the transmitted data over communication channels. In light of this, in this thesis, we will investigate practical methodologies to solve these challenges regarding secure visual data transmission over communication channels. CHAPTER 1. INTRODUCTION 5
Visual data I J> Processing Embedding Hidden V visual data
Figure 1.2: System level diagram of data hiding procedure
1.2 The Importance of Visual Cryptography and Se
cret Sharing For Visual Data
With the rapid growth in the area of communication systems and networking, large volumes of visual data are commonly transmitted over wired and wireless networks. To allow for wider availability of visual information and successful commercialization of many visual related services, it is essential to ensure that visual information is used only by authorized users [17], [18].
Depending on the application, instead of encryption, visual data may be protected using different methodologies, such as data hiding or VC [19]. Data hiding, a form of steganography, embeds data into digital media for the purpose of identification, anno tation, and copyright [20]. The main difference between cipher-based cryptography and data hiding techniques arises from the nature of their outputs [21]. Data hiding frame works modify the input message in such a way that no one apart from the sender and the intended recipient even realizes there is a hidden message.
When it comes to transmission and processing of visual data, the existing data hiding techniques try to modify the original image input and transmit it in an imperceptible way, often for the purpose of enforcing digital rights management (DRM) policies [22]. A general system level diagram of data hiding procedure is provided in Fig. 1.2. As it can be visually understood from this figure, the two main blocks of the system are processing and embedding. The main disadvantage of most of the data hiding methodologies is the fact that they can not completely guarantee the integrity of the hidden visual data. However, a number of recent solutions utilize a variety of schemes to optimize the embedding CHAPTER 1. INTRODUCTION
pre rocessi,, Share se^t ^ P g m Generation Reconstruction ^^^
Figure 1.3: General description of secret sharing schemes procedure or provide compatibility between the input and output hiding procedures [23],
[24].
On the other hand, VC or Visual Secret Sharing (VSS) is based on the idea of secret sharing [25], whereby a visual secret is shared between a set of participants. Secret sharing refers to any method for distributing a secret, in our case the actual visual input, among a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when some permitted subsets of the shares are combined together; individual shares or not-permitted subsets of the shares are of no use on their own. Secret sharing schemes were independently introduced by Shamir [25] and Blakley [26] in 1979.
Shamir applied polynomial interpolation to develop secret sharing schemes, while Blakley used plane geometry. VC and secret sharing has found applications in information hiding, visual identification, authentication and image protection [17], [27].
The general block diagram of a secret sharing scheme is yielded in Fig. 1.3. As it can be seen, it is comprised of four modules, namely:
• Preprocessing: This module provides compatibility between the input secret and
the share generation phase. In all of the proposed schemes in this thesis, permuta
tion is employed as a preprocessing step.
• Share generation: The input to this module is the preprocessed secret which should
be shared between a set of participants who are involved in the secret sharing CHAPTER 1. INTRODUCTION 7
procedure and the output is the generated shares which should be assigned to these participants. The main criterion in the share generation module is to preserve the secrecy of the secret, i.e. according to the sharing policy, the secret should not be revealed to some defined subsets of participants.
• Share distribution: At this module, the generated shares are assigned to the par ticipants. The procedure is performed by a trustee person, which is often called dealer, who has access to all of the generated shares before distribution.
• Reconstruction: The recovery of the shared secret is performed at this stage. Based on the sharing policy, some pre-defined subsets of participants are given access to the shared secret by polling their shares while the rest of the share-holders coalitions are prohibited from accessing the input. According to the system level diagram of Fig. 1.3, preprocessing parameters may be used at this module.
It is important to note here that analyzing the transmission of the generated shares through communication channels is out of the scope of this work. We assume that each participant can perfectly receive his/her transmitted share and there is no loss during the transmission process.
It should be noted at this point that in VSS schemes, the secret is an image and en cryption is performed using digital processing algorithms. In early VC schemes, decryp tion was performed using the human eye, without the need for complex cryptographic techniques [28]. In other words, VC solutions use the properties of the human visual system to force the recognition of a secret image from overlapping the shares without additional computational processing and any cryptographic knowledge. The primary mo tivation of this work is to propose novel secret sharing schemes for color images which can be considered as cost effective candidates for sharing and transmission of color images over communication channels. CHAPTER 1. INTRODUCTION 8
1.3 Key Technical Challenges in Secret Sharing For
Visual Data (SSVD)
The main shortcoming of the early secret sharing schemes stems from the impairment between the input image and the recovered image which was produced by polling of the overlayed generated shares. In other words, there is loss in the reconstruction phase of any VC scheme. An alternative solution to this problem is to employ half-toning techniques [29] as a preprocessing step in the share generation phase of the VC framework.
However, these techniques reduce the quality of the recovered visual data.
As a result, preserving the original input image content is one of the prime objectives in developing SSVD schemes. If the input visual information is available in digital format and the decryption procedure is performed in digital devices, the reconstructed image can be processed and recovered by digital operations [30]. The SSVD solutions discussed in this thesis operate without the need for a human observer and the perfect reconstruction of the input is obtained by means of digital image processing solutions. The main design criteria of the proposed SSVD solutions can be summarized as follows:
• The security of the shares—i.e., the confidentiality of the image shares against
attackers who do not possess the required number of shares: With regards to the
security of the shares, it is generally required that the individual shares and a
combination of a number of shares which is below that required by the sharing
policy for correct decryption, should not reveal any pertinent information.
• Pixel expansion (m): Pixel expansion refers to the average number of subpixels,
m, in the share image required to represent a single pixel in the original input
image, and as a result affects the size of the generated shares (i.e., m — 1 results in
shares of the same size as the original image). In other words, the pixel expansion
factor m can be considered as a size (dimension) comparison criterion between the CHAPTER 1. INTRODUCTION 9
input image and each of the generated visual share. Since the generated shares will usually be transmitted or stored, it is generally desirable to keep the pixel expansion factor (m) to a minimum.
• The quality of the reconstructed image: For the quality of the reconstructed image, most modern imaging applications will only tolerate perfect or near-perfect (visually lossless) reconstruction. This is especially important when the solution is employed for forensic and law-enforcement applications.
• Cheating prevention ability: Submission of fake shares by involved participants degrades the performance of any SSVD scheme. Thus, protecting a SSVD scheme against these types of attacks, namely cheating, is important. However, it should be pointed out that there is a tradeoff between the immunity of a SSVD scheme against cheating operations and the overhead due to utilizing cheating prevention procedures.
It should be mentioned that analyzing the cheating prevention ability is out of the scope of this work. The main contribution of the thesis is to propose SSVD schemes for color images that satisfy the first three design criteria namely: secrecy, pixel expansion factor (m) and perfect reconstruction.
1.4 Thesis Contributions
Given the fact that color images, due to their tristimulus representation, occupy much more space and require much more bandwidth for transmission, compared to gray scale images, it is important to develop an SSVD scheme for color images with no pixel expan sion or reduced expansion; in other words, a scheme with m <= 1 and satisfying perfect reconstruction simultaneously. Through the rest of this section, we briefly demonstrate the properties of the proposed schemes in this thesis which have been categorized in CHAPTER 1. INTRODUCTION 10 terms of pixel expansion factor.
1.4.1 SSVD Schemes With No Expansion Factor
As it was discussed in the previous section, reducing the pixel expansion (m) of the
SSVD schemes is an important design issue. Considering the fact that there are imposed limitations on the attributed bandwidth of the communication channels, the focus of the first part of the thesis is to research, develop and implement an SSVD scheme which has an expansion factor of m — 1 while offers perfect reconstruction. Such schemes are important since they:
• make the generated shares suitable for utilization in digital image processing and
transmission pipelines.
• utilize RGB representation of color images, thus make the share generation algo
rithm implementable by 8-bit processing operations on a pixel-by-pixel basis, using
low-complexity hardware implementations.
To fulfill these requirements, two SSVD frameworks with different design characteristics are introduced in this thesis. Namely:
• Karnaugh map based SSVD scheme: This part of the thesis introduces a novel
family of {2, 2} SSVD schemes suitable for processing of color images. The novel
design utilizes matrix sets derived using a Karnaugh map. The encryption and
decryption functions are executed at the bit level of the RGB color representation.
Two schemes with different objectives and functional requirements are discussed in
this part. The first proposed scheme achieves perfect reconstruction with a pixel
expansion factor of m — 2 while the second scheme offers perfect reconstruction
with no pixel expansion (m — 1).
Although many schemes which claim enhanced security, scalability and flexibil
ity have been proposed recently, a few of them offer perfect reconstruction in the CHAPTER 1. INTRODUCTION 11
context of bandwidth constraint communication systems. Analysis and experimen tal results including in this part support the main argument that the developed schemes are ideal for transmission of color images over un-trusted and bandwidth limited communication channels.
• Number theory based SSVD scheme: A novel SSVD scheme suitable for enforcing the confidentiality of digital color images is proposed in this part of the thesis. The scheme employs number theory concepts and the finite ring integer representation of the color image pixel values to generate shares in a {k, n} secret sharing scheme. The generated noise-like shares use the same finite ring integer representation (8 bits-per-pixel/channel) and have the same pixel dimensions as the original image (pixel expansion factor of m = 1), making the shares suitable for use in digital imaging systems which offer fixed resources for image storage and transmission.
The share generation algorithm can be implemented using 8-bit processing oper ations on a pixel-by-pixel basis, allowing for low-complexity hardware implemen tations. When k or more shares are polled, the decryption procedure is able to perfectly reconstruct the original image. The performance of the proposed scheme is verified through experimental results generated using a variety of input color images, and compared to other VSS schemes in the literature.
1.4.2 SSVD Schemes With Reduced Expansion Factor
Considering the fact that the required bandwidth for transmission of images over commu nication channels is proportional to the size of the images and color images due to their structure occupy more space and bandwidth compared to gray-scale and binary images, it is necessary to reduce the expansion factor of the schemes as much as possible. The main scope of the second part of the thesis is to develop SSVD schemes satisfying m < 1 while achieving perfect recovery of the original input image. Two different schemes sat- CHAPTER 1. INTRODUCTION 12 isfying these properties with different objectives are proposed in this part which can be summarized as follows:
• Algebraic SSVD scheme: This part of the thesis introduces a novel, cost effec
tive SSVD scheme suitable for color image transmission over bandwidth constraint
communication channels. Unlike previously proposed schemes, the solution offers
perfect reconstruction while producing shares with size smaller than that of the
input image. The maximum distance separable (MDS) codes principles used in the
design allow for the introduction of a flexible framework that compares favorably
to competing solutions as it can be seen by examining the experimental results
included in this part.
• Segmentation based SSVD scheme: A novel, cost effective SSVD scheme is intro
duced in this part of the thesis. The scheme partitions the input image into sub
components by utilizing a segmentation step. The contents of the segmented parts
are subsequently used to form a secret sharing solution. This modular approach,
which mimics the second generation coding principles, achieves perfect reconstruc
tion. Comparisons and experimental results included in this section indicate that
it also compares very favorably against competing solutions when it comes to pixel
expansion.
In conclusion, the main contributions listed in this work:
• operate on the bit-level or pixel level of the original input image.
• are capable of color image encryption for storage or transmission through bandwidth
limited communication channels
• achieve perfect reconstruction
• produce visual data available in digital format, thus make for easy integration in
digital image processing pipelines. CHAPTER 1. INTRODUCTION 13
1.5 Thesis Outline
The thesis is organized as follows. Chapter 2 describes the required preliminaries for developing the proposed schemes. In particular, we describe RGB space as the color image representation model used in this thesis. In addition, a section on permutation and matrix analysis is included in Chapter 2, since permutation is used as a pre-processing step in the derived solutions. The problems related to the utilization of the permutation methodology are discussed in detail. Additional background material is also reviewed. It includes a brief introduction to the Karnaugh map design and number theory concepts which are employed in Chapter 4 and MDS codes which are used in Chapter 5.
Chapter 3 reviews significant research works in the SSVD research area. It begins by introducing {k,n} secret sharing scheme terminologies. The bit-level based SSVD scheme [30] is reviewed and analyzed in detail. Choosing this specific scheme arises from the fact that the proposed Karnaugh map based scheme in Chapter 4 is an improvement of the bit-level based scheme in terms of pixel expansion. Also, the proposed scheme in [12] is reviewed as an example of a competing solution capable of transmitting images over bandwidth constraint communication channels.
The main focus of Chapter 4 which consists of two sections is the development of SSVD schemes with no expansion (m = 1) and perfect reconstruction. The first part of the chapter deals with the improvement of the described bit-level based scheme in Chapter 3, develops two {2,2} SSVD schemes by utilizing Karnaugh map design. They operate directly at the bit levels of the original input image. Proposing a {k,n} SSVD scheme based on the number theory concepts is the main focus of chapter's second part. The proposed framework applies on each color pixel independently.
Chapter 5 focuses on the development of SSVD schemes with reduced pixel expansion factor (m < 1) while satisfying perfect reconstruction property. The first part of Chapter 5 proposes a {k, n} SSVD scheme by employing MDS codes which is capable of utilization in real-time signal processing applications. The second part of Chapter 5 proposes a CHAPTER 1. INTRODUCTION 14
{k, n} SSVD scheme based on the segmentation of the original input image. The scheme partitions the input image into sub-components by utilizing a segmentation step. The contents of the segmented parts are subsequently used to form a secret sharing solution. It is capable of sharing of the important parts of the input image. Experimental results confirm the property of the proposed schemes. Finally, Chapter 6 concludes the thesis and discusses the future research works in this area. Chapter 2
Preliminaries and Background
This chapter addresses the required preliminaries and background materials which will be utilized in the rest of thesis. It commences by introducing the RGB space as the employed model for representation of color images. After that permutation procedure as a preprocessing step in the proposed SSVD schemes and its implementational issues are discussed in detail. Finally, a number of required background concepts regarding the development of the contributed SSVD schemes in thesis are demonstrated.
2.1 RGB Color Space
Choosing an appropriate color representation model for processing tasks is a fundamental problem in image processing and computer vision [31]. Color images are usually repre sented in the RGB color space for both visualization and storage [32]. A given color in the RGB color space can be described by indicating the value of each of the red, green and blue color that is included in it (Fig. 2.1). Each can vary between the minimum (no color) and maximum (full intensity). Since each of these color components can vary be tween the same two limits, the RGB space is usually viewed as a 3-dimensional cube [33] depicted in Fig. 2.2.
Throughout the thesis, bold letters are used for matrices representation while normal
15 CHAPTER 2. PRELIMINARIES AND BACKGROUND 16
fillip:
SMBSW
Figure 2.1: Representation of each color in RGB space as a combination of its Red, Green and Blue components letters are used for variables. We use RGB as the standard representation model for the original input image, shares and reconstructed image but any 8-bit integer, unsigned trichromatic representation would suffice. Thus, a given (Ki x K-i) color image S in the
RGB space will be defined as a mapping:
S : Z2 -• Z3 (2.1)
In the rest of this thesis a color image S will be indicated as follows :
S — [Si,S2, S3] (2.2)
where Sc (c — 1,2,3) is a {K\ x K2) matrix and T is the matrix transpose operator. In other words, the color image S is viewed as a (Ki x ivT2) matrix populated with three dimensional vectors. As it was previously mentioned, each color pixel (elements of matrix
S) in the RGB space is completely characterized by the values of its red, green and blue spectral components. Each spectral value is an integer taking values in the closed interval
[0,28 — 1] resulting in the 24-bit representation of the color pixel:
S(i,j) = [si(i,j),s2(i,j),s3(i,j)} (2.3) where (i,j) are row and column indices (for i = 1,2,...,K\ and j — 1,2,...,K2) and c —
1,2 or 3 indicates the spatial location and the color channel respectively. Throughout this CHAPTER 2. PRELIMINARIES AND BACKGROUND 17
Figure 2.2: The RGB color model mapped to a cube thesis, c = 1 denotes the R (Red) component, c = 2 denotes the G (Green) component,
th and c = 3 indicates the B (Blue) component. In (2.3), sc(i,j) is the c channel value of the pixel in spatial position (i,j) and Sc is composed of sc(i,j). Using the bit-level based notation, the sc(i,j) element of the color vector S(i,j) can be expressed as follows:
°c(i,j) = Y,&i,3)*-k (2.4) fe=i
k where s c{i,j) equals to binary zero or one (bit) with k — 1 denoting the most significant bit (MSB) and k = 8 representing the least significant bit (LSB).
2.2 Permutation
In SSVD schemes, it is important that the generated image shares do not reveal any significant information about the original input image. To ensure that this property is observed, pre-processing transforms may be utilized prior to the sharing of the input data to reduce the spatial correlation amongst pixel values in the original image [34]. A number of such transforms can be developed in the context of the contributed schemes in this thesis. As a general design guideline, pre-processing transforms should be designed such that: CHAPTER 2. PRELIMINARIES AND BACKGROUND 18
• the transform should be invertible; in other words the original input image should be recovered without loss of information.
• the domain representation should be preserved; in other words when the trans formation is applied on an RGB color image, with an 8-bit per spectral channel representation, an 8-bit transformed (per spectral channel) representation should be obtained.
• the computational complexity of the preprocessing transformation should be rela tively low compared to the complexity requirements of the rest of the SSVD pro cedure.
In this thesis, a square permutation matrix has been utilized as an example of a pre processing transformation capable of reducing the spectral correlation amongst the image pixel values. Each spectral image Sc in (2.2) is permuted using two permutation matrices
Pi and P2 with dimensions {Kx x K\) and (K2 x K2) respectively, according to:
SPc = (Px x Sc) x P2 (2.5) where P^IeV,...,^'1] (2.6) with e7 denoting a column vector of length K\ with 'one' in one of its position and 'zero' in every other position and e1 ^ e? for 1 < i,j < K\ and i ^ j. In other words, the defining characteristic of the two permutation matrices is that only a single 1 per row and column is permitted while the rest of their elements are set to zero. For example, a toy permutation matrix with dimension (5 x 5) should look as follows :
0 10 0 0 0 0 10 0 Pi = 10 0 0 0 0 0 0 0 1 0 0 0 10 CHAPTER 2. PRELIMINARIES AND BACKGROUND 19
Si 1 SP 1 Sz 1 s* 1 s S3 Sp 4 z=$ Permutation £=^ *¥> rs^
{Pl,P2>
Figure 2.3: Applying permutation on each color channel
It can be seen that each column and each row contain only one 1 and there is not any zero row or column. The permutation matrix P2 can be defined in a similar manner.
According to (2.5), permutation procedure is independently performed on each color channel of a given color image S (Fig. 2.3). It should be pointed out that the matrix
[SPc(hj)} (2.7)
where spc(i,j) are the elements of Spc, with 1 < i < K\ and 1 < j < K2, has the exact same spatial dimensions and domain representation (i.e. 8-bits per pixel, per spectral channel) with the original input image. Obviously, the permuted representation of matrix
S in (2.2) can be written as follows:
Sp — [Spi,Sp2,Sp3] (2.8)
As the permutation matrices are orthogonal by their construction, the inverse matrices
P^1 and P^1 exist [35]. As a result
1 1 sPc - pr x [sPc x P2 ]
1 = Pr x [((Px x Sc) x P2) x Pa!]
1 = PJ" x [(Pi x Sc) x I]
= (IxSc)xI
= Sc (2.9)
It confirms that the original input color image S can be perfectly recovered from the permuted image Sp. CHAPTER 2. PRELIMINARIES AND BACKGROUND 20
2.3 Implement at ional Issues Regarding Permutation
Procedure
Implementational issues regarding the utilization of permutation matrices as a preprocess ing step in the contributed SSVD schemes are considered in this section. In particular, we discuss adaptive generation, compression and sharing of the permutation matrices for transmission through communication channels.
2.3.1 On Adaptive Generation of Permutation Matrices
Permutation matrices have to be transmitted along with the generated shares to the receiver end of the communication channel. These matrices can be transmitted online during the actual operation or they can be pre-transmitted during the communication link establishment phase. They can be used to share any number of images with size
(Ki x K2) between the same transmitter-receiver pair. It should be noted that only one transmission of the permutation matrices per communication session is needed.
Further to that, when a number of input images with different dimensions are to be sent through the communication channel during the same session, there is no need to generate new permutation matrices every time that an input image with different dimension is presented by the transmitter. Let us assume that a permutation matrix with size (K\ x Kx) (Pj) has been constructed and a permutation matrix with size
(K3 x K3) (named P1) is needed with K3 > K\. Utilizing the main characteristic of permutation matrices, the new matrix can be defined as follows :
Pi OKXXCKS-ATI)
0(K3-ifi)xiCi Pi where 0 is a matrix with specified dimension with all of its elements are zero and P1 is a permutation matrix with dimension ((K3 — K\) x (K3 — K\)). Given the fact that Pi CHAPTER 2. PRELIMINARIES AND BACKGROUND 21 was available and already be sent to the receiver, we just need to transmit Pj. On the other hand, if one of the rows and columns that have 1 in their intersection position are randomly deleted from P'x, the remaining matrix is a permutation matrix with dimension ((if3 — 1) x (K3 — 1)). It means that if we delete A'3 — K\ rows and columns randomly from a (K3 x K3) permutation matrix repeatedly (K3 > K{), the remaining is a (Ki x K\) permutation matrix. It means that the permutation matrices are generated adaptively.
2.3.2 On Compression of Permutation Matrices
If communication resources such as bandwidth need to be conserved, the permutation matrices Pi and P2 need to be compressed. The sparse nature of the permutation ma trices makes the application of lossless compression scheme readily applicable. Let us assume that the permutation matrix Pi with dimension {K\ x K\) needs to be com pressed. By construction, each row of the matrix Pi has only one non-zero element. Thus, it is sufficient to simply define a value Zy denoting the position of the non-zero element in the jth row of Pi (1 < j < K\). Therefore, the Pi equivalent representation could be given as:
Pi — [^11,^12, ••• ,llKi\ (2-11)
As a result, for the transmission of the matrix Pi, at most K\ [log2 K{] bits are required. At the receiver end, the matrix Pi can be perfectly reconstructed by knowing the position of the non-zero elements. It is not hard to see that since the transmission of the matrix Pi requires K\ bits, the Compression Ratio (CR) which is the ratio between the required number of bits for the representation of the actual permutation matrix and its compressed version can be calculated as follows
CR=V^- (2.12) CHAPTER 2. PRELIMINARIES AND BACKGROUND 22
It should be noted that the number of bits needed for transmission of the compressed version of Pi and P2 matrices is negligible when it is compared to the number of required bits to represent, and thus transmit, the un-compressed input color image. For example, assuming a512x512 square color image, the original input image needs 5122 x 24 bits for transmission while the transmission of a compressed permutation matrix requires at
3 most 512 • log2 512 bits, which is approximately 10~~ of the input image transmission requirements.
2.3.3 On Secure Transmission of Permutation Matrices
The essential question to consider when it comes to the utilization of the permutation matrices is their accessibility by the share holders (participants). It is obvious that the permutation matrices should not be accessible because it would allow each participant to independently detect structural patterns from the original image, thus helping them to recover the original input image. To prevent such unauthorized access, the compressed permutation matrices can be shared using a secret sharing scheme. However, three major issues regarding the employed secret sharing scheme should be considered as follows:
• simplicity and reducing the additional overhead to the SSVD framework
• expansion factor of the employed secret sharing scheme
• perfect recovery of the permutation matrices
To achieve these properties, the bit-level based secret sharing scheme [30] is used for sharing of the compressed permutation matrices which will be discussed in details in the next chapter.
The performance of the SSVD schemes may be affected by attacks of adversaries on the permutation matrices. If an attacker successfully substitutes the permutation matrices at the receiver, the proposed schemes may not be able to perfectly reconstruct CHAPTER 2. PRELIMINARIES AND BACKGROUND 23 the original input image. It can also be argued that an attacker may be able to modify the permutation matrices so that the information about the original input is revealed in one of the shares. This is possible if and only if a permutation matrix with most of its elements equal to one along the main diagonal. In other words, for a share to reveal information, permutation matrices which does not decrease the correlation of the adjacent pixels of the original input image should be used. However, such an attack may not be probable since it assumes that the attacker will seize control of the process at the transmitter side. A more realistic scenario assumes that the permutation matrices are attacked as follows :
• The adversary changes the values of the permutation matrix such that the output matrix is not a permutation matrix following the format discussed in the preceding section
• The adversary substitutes the original permutation matrix with another one of the same size.
In order to prevent un-authorized modifications of the permutation matrices by an adversary, hash functions can be utilized. For each permutation matrix, a hash value is computed and communicated to the receiver. If an adversary produces another permuta tion matrix or modifies the original matrix, the resulting hash value will be different from the hash value of the original permutation matrix. At the receiver, a comparison between the value of the received hash function and the original hash value can be performed. If there is any difference between them, it can not be acceptable and as a result the attacks of adversaries can be detected.
2.4 Preliminaries
This section briefly addresses the required preliminaries and background materials for the development of the proposed SSVD schemes in this thesis. Specifically, it begins by CHAPTER 2. PRELIMINARIES AND BACKGROUND 24 description of the Karnaugh map design which is utilized in the proposed bit level based SSVD scheme in Chapter 4. Then, the required number theory concepts for description of the number theory based SSVD scheme in Chapter 4 is described. Finally, an overview of the Maximum Distance Separable (MDS) codes for establishment of the proposed algebraic SSVD scheme in Chapter 5 is considered.
2.4.1 Karnaugh Map
This part briefly reviews the employed Karnaugh map properties in the proposed bit- level based SSVD scheme in Chapter 4. In particular, we focus on expressing a boolean function in terms of Karnaugh map minterms.
Karnaugh map is an efficient tool to facilitate management of Boolean algebraic ex pressions [36]. Its rows and columns are ordered according to the principles of Gray code [37]. A Karnaugh map may have any number of variables, but usually there are only a few, between 2 and 6 for example. In the proposed SSVD scheme in Chapter 4, a Karnaugh map with four variables is established. Since all of the Karnaugh map variables can take the binary values 0 or 1, these variables can be combined in 24 different ways, so the Karnaugh map has to have 16 positions. The most convenient way to arrange this is in a (4 x 4) grid.
The 16 elements (M», 0 < i < 15) which constitute the Karnaugh map are named minterm. Each minterm can be represented according to the binary representation of its index. The number of bits for representation of minterm indices is equal to the number of Karnaugh map variables (in the proposed scheme in Chapter 4 it is equal to four). It is important to note here that there is a one-to-one correspondence between the binary representation of the minterms and their representation based on the Karnaugh map variables. For example, since the binary representation of 13 is 1101, in a Karnaugh map with four variables, namely A, B, C and D, M13 can be represented as ABCD where x is the 2's complement of the variable x. CHAPTER 2. PRELIMINARIES AND BACKGROUND 25
Utilizing the Karnaugh map design, a boolean function /(•) can be represented as a summation of the variable representation of the minterms M» whose /(M;) = 1. The following example clarify this explanation. Suppose that we want to find the variables representation of the boolean function f(A, B, C, D) such that
1 if te {3,7,12} f(Mi) = { (2.13) 0 otherwise Since the binary representation of 3, 7 and 12 in four bits is equal to 0011, 0111 and 1100 respectively, f(A,B,C,D) can be expressed as follows
f(A,B,C,D) = ABCD + ABCD + ABCD (2.14)
2.4.2 Bezout's Lemma and Extended Euclidean Algorithm
This part of thesis briefly presents the required background materials for the development of the proposed number theory based SSVD scheme in Chapter 4. In particular, we focus on Bezout's Lemma and extended Euclidean algorithm.
Lemma 2.1 (Bezout's lemma) Let us assume that g is the greatest common divisor
of the elements of x~ {^I, £2, • • •, xn} where x» £ Z (1 < i < n) (hereafter g — gcd(x),)-
Then 3 si, S2,..., sn € Z such that
sixi H h snxn = g
where Z is the set of integer numbers.
Proof : The proof of this lemma is available in [38]. In number theory, the Euclidean algorithm is a procedure to determine the greatest common divisor of two elements of any Euclidean domain (for example, the integers) [38]. Its major significance is that it does not require factoring the two integers. The extended Euclidean algorithm is an extension of the Euclidean algorithm for finding the greatest CHAPTER 2. PRELIMINARIES AND BACKGROUND 26 common divisor of integers x\ and x^- It also finds Si, S?, G Z in Bezout's Lemma such that S\X\ + S2X2 = 1. The description of the algorithm and its extension to the case of n inputs (xi,..., xn) have been provided in [39].
2.4.3 Maximum Distance Separable (MDS) Codes
This part of the thesis briefly demonstrates the required preliminaries and definitions for utilization of MDS codes in the proposed algebraic SSVD scheme in Chapter 5.
An [n, k, d] block code C over a finite field Fq with q elements is a k dimensional subspace of F™ where n, k and d are the block length, the dimension and the minimum distance of the code C respectively [40]. The minimum distance of an [n, k, d] linear code
C (dmin(C)) is equal to wtmin(C) where
wtmin(C) = min{wt(v) :»eC,B/0} (2.15) and wt(v) is equal to the number of nonzero components of v. For each [n, k, d] linear code, there has been associated a (k x n) generator matrix G of rank k such that
C = {uxG:ueFk} (2.16)
In the other words, the generator matrix G can be considered as a vector basis for C.
Theorem 2.1 (Singleton Bound) If C is an [n, k, d] linear code with minimum dis tance dmin{C) = d, then
d The proof of the preceding theorem can be found in [40]. Definition 2.1 A Maximum Distance Separable (MDS) [n, k, d] linear code C has the minimum distance dmin(C) = d — n — k + 1. The following theorem demonstrates the relation between q, k and n for an [n, k, n — k + 1] MDS code over Fq [41]. CHAPTER 2. PRELIMINARIES AND BACKGROUND 27 Theorem 2.2 Let C be an [n,k,n — k + 1] MDS code over Fq. Then ra-fc + 1 if k>2 q^> < (2.18) fc + 1 if k The proof of the preceding theorem can be found in [40]. 2.5 Chapter Summary This chapter has presented a number of the required preliminaries and background mate rials for development of the proposed SSVD schemes in this thesis. It has demonstrated the RGB color space as the color image representation model of the input image, gen erated shares and reconstructed image in a SSVD scheme. Then, permutation as a preprocessing step in SSVD frameworks has been considered. Consequently, the imple- mentational issues regarding the utilization of permutation matrices in a SSVD scheme has been discussed. Finally, a number of necessary concepts related to the contributed SSVD schemes in thesis have been introduced. Chapter 3 Prior Works This chapter addresses most of the significant prior SSVD schemes in the literature. The main focus is on evaluation of different SSVD schemes from the point of view of pixel expansion factor and perfect reconstruction. It initiates by introduction of {k, n} secret sharing scheme terminologies as the basic definition of SSVD algorithms. Then, the proposed solution in [30] as the bit-level based SSVD scheme for color images is explained in detail. After that, a review of a number of the proposed SSVD algorithms is presented. Finally, the matrix projection based scheme [12] as a competing SSVD solution against the proposed schemes which offer reduced expansion factor is demonstrated. 3.1 {fc, n} Secret Sharing Scheme SSVD solutions can be applied to binary, gray-scale or color images [42]. All SSVD schemes are based on either threshold designs or access structure solutions [43]. Threshold secret sharing is a type of secret sharing scheme which was firstly introduced by Naor [28]. The scheme recovers the input image by utilizing the human ability to process visual content without the use of any complex decoding operations. In the general fc-out-of-n SSVD scheme, which is denoted as {k,n} scheme, an image is encoded to n shares of random patterns by means of two defined matrix sets. Each participant is given a share 28 CHAPTER 3. PRIOR WORKS 29 which is basically the original input (secret) image whose pixels have been replaced by a number of other pixels according to a sharing policy. Any subset of participants with k or more elements can detect and reconstruct the original input image [28]. We proceed by denning the so-called participant index set Pn = {1,2,..., n} where n is the maximum number of share holders and an arbitrary subset P™ C Pn with cardinality t with 1 < t < n. Obviously, there are C(n, t) possible such sets where the J A . notational convention C(u,v) = = vu™Lv\\> v < u, u,v £ N is used to denote [vj enumeration with repetition and N denotes the set of natural numbers. Since any {k, n} scheme requires that a set of k or more participants can recover the input image, the cardinality of the involved subset of participants in decryption is an important issue. Two different scenarios must be considered in decryption step, namely the case for 1 < t < k — 1 which corresponds to a set of 'unqualified' participants, and the case for k < t < n which corresponds to a set of 'qualified' participants, a set of share holders who are allowed to recover the input image. On the other hand, an access structure VC scheme typically follows the general access structure developed by Ateniese et al [43]. The model describes a set of qualified subsets rgua; and a set of forbidden subsets TForb on n participants P = {l,2,...,n}. Only the participants of any qualified subset can jointly reconstruct the input image. The pair (^Quah ^Forb) is called the access structure of the scheme. 3.2 Bit Level Based SSVD Scheme This section briefly demonstrates the proposed bit-level based SSVD scheme in [30]. The proposed scheme is capable of protection of image data coded with B bits per pixel and generates .B-bit visual shares, utilizing a {k, n} secret sharing scheme and bit-level operations. The cost-effective proposed framework achieves perfect reconstruction of the original input image while the generated shares are greater than the input image in size CHAPTER 3. PRIOR WORKS 30 (m > 1). It is capable of encrypting binary (B = 1), gray-scale (B — 8) and color images (B = 24) and can be effectively implemented either in software or hardware. As it was previously discussed in Chapter 1, one of the main shortcomings of VSS schemes arises from the fact that they can not restore the transmitted original input im age in its original quality. This is due to the operation of {k, n} secret sharing schemes on binary input images and overlaying the generated shares to recover the input images. One of the available solutions to overcome this problem is to utilize the halftone version of the input image instead of employing the original information [44-46], but these tech niques also reduce the quality of the reconstructed image. This problem restricts the applicability of VC schemes. If the original input image is available in binary (digital) format and the decryption procedure is performed digitally, SSVD solutions can perfectly recover the input image in digital format and consequently make it ready for further digital image processing operations. This is the main idea behind the proposed bit-level based SSVD solution in [30] and the contributed schemes in this thesis. This scheme operates directly on the bit planes of the digital input image. The B-bit input image is decomposed into B planes and each of these bit levels can be considered as a binary image. Through the rest of this section, this scheme is analyzed in terms of its encryption and decryption procedures. The main reason for selection of the bit-level based scheme arises from the fact that the proposed Karnaugh map based SSVD scheme in Chapter 4 which operates on the bit planes of the input image as well, is an improvement of this scheme from the point of view of pixel expansion and bandwidth requirement. Without loss of generality, the bit-level based scheme is evaluated by a {2,2} application scenario which can be considered as the basic solution of the generic {k, n} VC scheme [30]. CHAPTER 3. PRIOR WORKS 31 (a) (b) (c) (d) (e) (f) (g) (h) Figure 3.1: Images corresponding to the bit-levels of the color image Lena: (a) k = 8 (b) k = 7 (c) k = 6 (d) jfc = 5 (e) k = 4 (f) k = 3 (g) k = 2 (h) k = 1 3.2.1 Encryption Let us consider a (Ki x K2) color image S which is represented in RGB space (without loss of generality and for presentation purposes) by B = 24 bit (eight bits per channel) as described in detail in Chapter 2. The two generated shares SHX and SH2 follow the same representation model. According to (2.4), the cth channel (1 < c < 3) value of the color pixel in spatial position (i,j), with 1 < i < K\ and 1 < j < K2, can be decomposed into eight bits as follows: k 8 k sc(iJ) = J2s c(i,j)2 - (3.1) fc=i The bit decomposition process is the main preprocessing step in the share generation of the bit-level based scheme. As it is depicted in Fig. 3.1, it is a natural way to decompose the input image to different bit planes. The encryption procedure /,,(•) which performs on each of the bit planes sk(i, j) separately, maps each of them into (2 x 2)-sized block as follows: CHAPTER 3. PRIOR WORKS 32 k fe(s c(i,j)) (3.2) { [shtsh^fed if ^(i,j) = l where S S l S S l £ hlc — [s/l(2i-X,2j-l)c> ' (2i-l,2j)c> ^(2i,2j-l)c> ' (2i,2j')c] SHi (3.3) S S S S S € (3.4) ^2c — [ ^{2i-l,2j-l)ci ^{2i~l,2j)ci ^(2i,2j-l)ci ^(2i,2j)c] ^H2 and 0 1 0 1 1 0 1 0 0 0 11 7 ? 1 0 1 0 0 1— 1 0 1 110 0 Cn=4 (3.5) 1 1 0 0 1 0 0 1 0 110 0 0 1 1 ) 0 1 1 0 •) 10 0 1 0 1 0 1 10 10 0 0 11 0 1 0 1 •) 10 10 ' 0 0 11 Ci = < (3.6) 1 1 0 0 10 0 1 0 110 1 1 0 0 ) 10 0 1 ' 0 110 include all matrices obtained by permuting the columns of the (2 x 4) basis matrices Ao and Ai such that 0 10 1 A0 = (3.7) 10 10 and 0 10 1 A1 = (3.8) 0 10 1 CHAPTER 3. PRIOR WORKS 33 Input: A (Ki x K2) color image S and matrix sets C0 and Ci Output: Two visual share SH4 and SH2 with dimension (2Ki x 2K2) Step 1. Decompose S into its bit planes according to (3.1) Step 2. Encode each bit plane s*(i,j) according to (3.2) Figure 3.2: Pseudocode description of the encryption phase of the proposed bit-level based SSVD scheme. It is important to note here that the selection of shlc,sh2c from Co and Ci is performed by a random number generator to preserve the random nature of the generated shares SH4 and SH2. It makes sure that none of the share holders (participants) can gain information regarding the input image based on his/her assigned share. Fig. (3.2) depicts the pseudo-code description of the encryption procedure. 3.2.2 Decryption To recover the original input image S from SHi and SH2, the decryption procedure fd{-) should satisfy the perfect reconstruction property. Taking the advantage of the arrangements of the binary pixels in the matrix sets C0 and Ci in a {2,2} application scenario, the decryption of the generated shares is performed as follows: 1 if s/l(2i-l,2j-l)c - s/l(2i-l,2j-l)c ,„ . /d(shtsb4) 0 if s/l(2i-l,2j-l)c 7^ S^(2i-l,2j'-l)c Considering the C0 and Ci design, it can be concluded that the proposed bit-level based scheme in [30] can perfectly recover the input image bit planes by employing reciprocal encryption and decryption functions while expands the input image by a factor of m — CHAPTER 3. PRIOR WORKS 34 Input: The generated shares SH4 and SH2 Output: Original input image S Step 1. Decrypt the bit planes of SH4 and SH2 according to (3.9) Step 2. Stack the decoded bit planes according to (3.1) Figure 3.3: Pseudocode description of the decryption phase of the proposed bit-level based SSVD scheme. 2x2 = 4. Recovering each of the bit planes of the original input image independently, they can be stacked together (according to (3.1)) to recover the original image. Fig. 3.3 describes the pseudo-code description of the decryption step of the bit-level based scheme. Fig. 3.4 illustrates the proposed bit-level based SSVD scheme which is performed on the input color image depicted in Fig. 3.4a. As it can be visually understood from this example, the proposed solution achieves perfect reconstruction of the input image. However, the generated shares (Figs. 3.4b and 3.4c) are twice the size of the original input image in both dimension, for a pixel expansion factor of m = 4. According to the random nature of the produced shares, none of the participants are able to extract information regarding the secret input image based on his/her assigned share. 3.3 A Review of Prior Works In VSS This section briefly reviews a number of the important proposed VSS scheme in terms of their expansion factor (m) and perfect reconstruction ability. Most of the previous research works in the area of VC attempted to develop schemes that either optimize pixel CHAPTER 3. PRIOR WORKS 35 (a) (b) (c) (d) Figure 3.4: The proposed bit-level based method {2,2} (tested for a color image): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image expansion or focus on perfect reconstruction. In [47], size of the generated shares is half of the size of the input image but the clarity of the recovered image is proportional to the number of shares that were used in decryption procedure, i.e., the original input image can be completely recovered only if all of the generated shares are used during decryption. Minimizing the pixel expansion factor m for a given reconstructed image clarity level is considered in [48], but for any level of image clarity it can not achieve m < 1. Generation of meaningful shares based on threshold arrays is developed in [49] but it can not perfectly recover the original input image. The Space Filling Curve Ordered Dithering (SFCOD) algorithm is utilized in [50] to transform a gray-level image into an image with fewer gray-scale values. The size of the generated shares is the same as the original input image, but the solution can not perfectly reconstruct the original input secret. The scheme in [51] also uses SFCOD, in this case to convert a gray-scale image to binary and use existing binary secret sharing techniques. A scheme without pixel expansion for both gray-scale and color images has been introduced in [29]. This scheme encodes a number of successive pixels each time using only two basis matrices. However, it can not perfectly recover the input image. In [52], boolean operations are used to drive a probabilistic {2,n} scheme for binary CHAPTER 3. PRIOR WORKS 36 images and a deterministic {n, n} scheme for gray-scale images. Both of these schemes do not expand the size of the generated shares compared to original input image (i.e., m = 1). In general, they can not perfectly reconstruct the original input image. Their gray-scale scheme can, however, perfectly reconstruct the original input image when all of the generated shares are used in the decryption procedure. In [44-46], dithering and halftoning methods are used to control pixel expansion, but such steps decrease the quality of the reconstructed image. The extended halftone VC method proposed in [53] utilizes blue-noise dithering principles and the void and cluster algorithm to generate the shares which carry significant information. However, it expands the shares compared to the input image (m > 1) and also it can not perfectly recover the input image. The method in [54] considers any pixel color value from a set with c elements and thus develops a scheme with a pixel expansion factor of c. However, that decreases the resolution of the input image by factor c. The solution in [55] attempts to balance pixel expansion and perfect reconstruction for a {2, n} scheme with the quality of the recovered image depending on the expansion factor of the scheme. The higher the value of the pixel expansion factor, the better the achieved quality at decryption. In [56], a VSS scheme which preserves the aspect ratio of the recovered image is considered but its shares have an expansion factor greater than one and it still can not perfectly reconstruct the original input image. The algorithm in [57] is an extension of Shamir's scheme [25] which reduces the pixel expansion factor to m — \. However, it can not perfectly recover the input image because the reconstruction operation utilizes Lagrange interpolation in F251 (a finite field with 251 elements). An extended version of this scheme was also proposed, offering perfect reconstruction of the input image, with an expansion factor that is increased marginally, depending on the number of pixel values greater than 250. However, the generated shares leak information about the original image, aiding an attacker performing a brute-force exhaustive search attack on the original image [12]. CHAPTER 3. PRIOR WORKS 37 The proposed scheme in [58] can perfectly recover the original input image for a given set of c colors but it generates shares with dimensions larger than the dimensions of the original input. Improving the algorithm of [59] is the subject of [60]. The authors enhance the quality of the reconstructed image but still the shares are larger in size compared to the input image. The scheme introduced in [61] is an attempt to improve the pixel expansion characteristics of the solutions presented in [62] and [63]. Many of the existing VSS schemes that offer no pixel expansion result in either poor quality reconstructed images or images that are not identical to the original in put [64], [65]. For example, in [66] the reconstructed image's brightness looks unnatural resulting in poor visual quality results. The hybrid VSS scheme [67] has an adjustable pixel expansion at the expense of the reconstruction quality. The methodology in [67] explains the trade off between share size and quality of the reconstructed image and introduces size adjustable VC mechanism such that the user can choose the appropriate share size and the recovered image quality that fits an application. Applying secret shar ing schemes on JPEG images is considered in [68]. The proposed scheme generates shares with no expansion and perfect reconstruction in a {2,2} application scenario. However, for general {k, n} (n > 2) VSS scheme there is an increase in the expansion factor. The proposed VC scheme in [69] suggests different level of clarity for various coalition of the generated shares while preserving no expansion (m — 1). In [70] a bit reversing VSS scheme where white pixels are almost perfectly reconstructed in addition to per fectly reconstructed black pixels is proposed. In [71] a color {2,2} scheme with a pixel expansion factor of m = 4 is proposed, however the solution cannot perfectly reconstruct the original input image. The same performance is reported in [72]. The method has an expansion factor of m — 1 but it does not offer perfect reconstruction, thus it is of limited applicability. As it can be understood from this discussion, developing SSVD schemes which satisfy perfect reconstruction of the input image while considering bandwidth limitations (m) is CHAPTER 3. PRIOR WORKS 38 of paramount importance. Since color images occupy much more space and bandwidth compared to gray scale and binary images, the main focus of this work is on developing optimal schemes from the point of view of pixel expansion and perfect reconstruction for color images. 3.4 Matrix Projection Based VSS Scheme This section briefly explains the proposed SSVD scheme in [12]. The proposed method utilizes a block processing algorithm based on the solution of [57] to implement SSVD scheme with m < 1 and perfect reconstruction. The expansion factor is inversely pro portional to the block size, offering a trade-off between share size and computational resources required during share generation and decryption. The advantages of the pro posed method are its small expansion factor, its strong protection of the secret image, and its ability to process image in realtime. It is an effective, reliable and secure scheme to prevent the secret image from being lost, stolen or corrupted. Through the rest of this section, its encryption and decryption procedures are described in detail. 3.4.1 Encryption The proposed SSVD scheme in [12] utilizes the properties of the matrix projection based secret sharing scheme [73] to share the original input image. Since it considers the pixels in an image as elements of a matrix, through the rest of this section and without loss of generality, the sharing policy is performed on one of the color channels of the {K\ x K^) input color image S (namely Sc where 1 < c < 3). The input image is partitioned to (6 x 6) blocks where b > 2k — 3 for a {k,n} application scenario. If Kl£,K3 £ Z, where Z is the set of integers, additional pixels can be added to the input image to facilitate the partition process. The encryption process is applied on each of the f^1^3] blocks independently. Fig. (3.5) describes the pseudo- CHAPTER 3. PRIOR WORKS 39 code description of the encryption step of the proposed scheme which is applied on one of the (b x b) blocks of the input image, namely Q. To clarify this methodology, we consider a numerical example of sharing of a matrix in a {k, n} — {2,4} application scenario where 2 3 12 5 4 6 1 Q 8 9 7 2 3 4 12 Let 6 = 4 which satisfies b > 2k — 3 and choose a (4 x 2) random matrix A as follows: 10 1 7 2 A = 8 4 1 1 As a result the projection matrix Q is equal to 53 87 88 175 87 137 199 100 (A x (AT x A)"1) x AT(mod251) = 88 199 119 46 175 100 46 195 and the reminder matrix is equal to 51 84 87 173 82 133 193 99 R=Q-Q= 80 190 112 44 172 96 45 193 Also, let 1 1 1 X\ , %2 = , xl = and £4 = 17 7 1 CHAPTER 3. PRIOR WORKS 40 Input: A (b x b) matrix Q, k and n Output: n generated shares SHi,..., SHn Step 1. Construct a (6 x k) random matrix A of rank k Step 2. Determine its projection matrix Q = (A x (AT x A)-1) x AT (mod 251) Step 3. Determine the reminder matrix R — Q — Q (mod 251) Step 4. If any elements in Q and R is greater than 251, go back to Step 1 to generate a new matrix A Step 5. Choose n linearly independent (k x 1) random vectors Xi and n distinct values r-j € Z (1 < i < n) Step 6. Calculate tj = A x i; (mod 251) for 1 < i < n Step 7. Employ the proposed secret sharing method in [57] to share R as 1 mod Gi = [g\, gi,... ,g}k,] for g\{j) = R(tk+i,j) + ••• + R(tk+k-ij)rt~ ( 251) where 1 < t < [f] and 1 < j < b Step 8. Let SH; = [%, d] (1 < i < n) Figure 3.5: Pseudo-code description of the encryption phase of the proposed SSVD scheme. CHAPTER 3. PRIOR WORKS 41 Thus, vt = A x ~xl for i = 1,2,3,4 27 17 11 19 41 21 9 25 «i = "2 V3 and V4 76 36 12 44 18 2 10 Let Ti = i for « = 1,2,3,4. As a result, 116 242 32 242 199 147 115 225 36 210 36 210 21 12 139 164 Gi G2 Ga G4 = 232 95 232 95 103 7 164 214 234 13 234 13 42 129 197 187 Therefore, the generated shares are equal to 27 116 242 17 32 242 41 36 210 21 36 210 SH! = SH,= 76 232 95 36 232 95 18 234 13 8 234 13 11 199 147 19 115 225 9 21 12 25 139 164 SH3 SH4 12 103 7 44 164 214 4 42 129 10 197 187 Comparing the generated shares (SH^) and the input secret (Q) verifies that the produced shares are m = ^ + i = |of the input information in size. As a result the proposed SSVD scheme in [12] can be considered as a good candidate for transmission of images through bandwidth limited communication channels. CHAPTER 3. PRIOR WORKS 42 Input: Hi and G, where 1 < i < n Output: Matrix Q Step 1. Recover R from a qualified coalition of the participants Step 2. Let B = [v^,... ,n?t] where {ii,i2, • • • ,it} C {1,2,... ,n} and k Figure 3.6: Pseudocode description of the decryption phase of the proposed SSVD scheme. 3.4.2 Decryption The main idea behind the decryption procedure is to recover the reminder matrix R and the projected matrix Q from any coalition of Gj's and Uj's with k or more members respectively. The pseudo-code description of the decryption procedure is described in Fig. 3.6. As a numerical example, we proceed the previous example in encryption part. Suppose the first and second participant want to jointly recover the input secret Q. Let 27 17 41 21 B = [vt, V2] = 76 36 18 8 CHAPTER 3. PRIOR WORKS (a) (b) (c) (d) Figure 3.7: The proposed SSVD scheme in {2,2} (tested for a color image): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image Then 53 87 88 175 87 137 199 100 (B x (BT x B)"1) x BT = (mod 251) 88 199 119 46 175 100 46 195 Finally, the input secret Q can be perfectly recovered as follows 2 3 12 5 4 6 1 Q=R+Q= (mod 251) 8 9 7 2 3 4 12 Fig. 3.7 depicts the proposed scheme in [12] which is evaluated in a {2, 2} application scenario. The block size which we choose for simulation is b = 2 to satisfy b > 2k — 3 = 1. Visual comparison of Figs. 3.7a and 3.7d verifies perfect recovery of the input image. The size of the generated shares and the input image are the same due to the expansion factor ofm = | + i = l. It should be mentioned that although increasing the block size (6) reduces the pixel expansion factor (m) of the scheme but there is a tradeoff between the expansion factor of the scheme and the required computational resources during encryption and decryption procedures. CHAPTER 3. PRIOR WORKS 44 3.5 Chapter Summary This chapter has reviewed a number of significant works in VSS. It has demonstrated the {k, n} secret sharing scheme terminologies as the fundamental framework in various VC solutions. Then, the bit-level based SSVD scheme [30] has been briefly discussed where the proposed bit-level based scheme in Chapter 4 can be considered as an improvement of [30]. After that, a review of most of the important works in VSS has been presented. Finally, the matrix projection based SSVD scheme [12] has been analyzed as a competing approach against the solutions which offer reduced pixel expansion factor. Chapter 4 SSVD Schemes With No Expansion This chapter proposes SSVD schemes with no expansion factor while satisfying perfect reconstruction property. Two SSVD schemes for color images with different functional ities are developed. The first scheme employs Karnaugh map design to offer a bit-level based {2,2} SSVD framework. The second scheme utilizes number theory concepts to develop a {k, n} SSVD scheme. Experimental results using a variety of input images and application scenarios are illustrated along with comparisons to other schemes to prove the effectiveness of the proposed schemes. 4.1 Karnaugh Map Based {2,2} SSVD Schemes This section introduces a novel family of {2,2} schemes suitable for color image process ing. The proposed design utilizes matrix sets derived using a Karnaugh map. The encryption and decryption functions are executed at the bit level of the RGB color representation. Two schemes with different objectives and functional requirements are discussed in this section. The first proposed scheme A achieves perfect reconstruction with a pixel expansion factor of 2 while the second scheme B offers perfect reconstruction with no pixel expansion. Although many schemes which claim enhanced security, scalability and flexibility have 45 CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 46 been proposed recently, only a few of them offer perfect reconstruction in the context of bandwidth constraint communication systems. The proposed {2,2} schemes can be considered as the basic solutions of a generic {k, n} problem for color images [74], [75]. Although many prior works explicitly differentiate between {2,2} and {k,n} schemes because their {2,2} decryption function is pixel based while the corresponding {k,n} is block based [30], our proposed solutions follow the exact same design regardless of the number of shares and/or participants. It should be mentioned that both of the proposed algorithms apply on each binary tuple of the decomposed RGB input image independently. The rest of this section is organized as follows. Sections 4.1.1 and 4.1.2 demonstrate the proposed bit-level based schemes in terms of their encryption and decryption pro cedures in detail while Section 4.1.3 discusses input dependent and input independent solutions. It should be mentioned that through the rest of thesis, encryption stage of the proposed schemes is performed on the permuted input color image Sp and the inverse of the permutation is applied on the decrypted image. 4.1.1 Scheme A Encryption The encryption function /e(-) applies on each binary tuples of the spectral channels of a color pixel independently. Fig. 4.1 describes the pseudo-code description of the proposed scheme A. Since for two bits there are only four combinations, four (2 x 4) encryption CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 47 Input: Input color image S with dimension [K\ x K2) Output: Share 1, Share 2 and Reconstructed matrices Step 1. Permute the input image (S —* Sp) Step 2. Let (i,j) = (1,1) (starting point of the process) Step 3. For each of the color channels of the pixel at spatial position (i,j), produce a binary representation according to (2.4) Step 4. For each of these binary tuple representations, compute first and second shares according to (4.2) Step 5. Replace decimal version of share 1 and share 2 in share 1 and share 2 matrices Step 6. Reconstruct the output using (4.3) Step 7. Let i = i + 1 Step 8. If i > Ki go to step 9 else go to step 3 Step 9. Let j = j + 1 Step 10. If j > K2 go to step 11 else go to step 3 Step 11. Apply the inverse permutation on the decrypted image Figure 4.1: The pseudo-code description of the proposed scheme A. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 48 matrix sets are defined as follows: 0 1 0 1 1 0 1 0 0 0 11 Cnn = < J > 0 1 0 1 1 0 1 0 0 0 11 1 1 0 0 1 0 0 1 0 110 Coi — J 5 1 1 0 0 1 0 0 1 0 110 (4.1) 0 1 0 1 1 0 1 0 0 0 11 c10 = 1 1 0 0 1 0 0 1 0 110 Cn = l > ) 0 0 1 1 0 1 1 0 10 0 1 where Cy- is the basis matrix set for encrypting the binary tuple (i,j) (i,j = 0 or 1). The encryption module randomly selects one of the three elements comprising each set of Cy. Assuming that d E {1,2,3} is randomly selected for Cy, the dealer uses the dth matrix in Cy set (Cy) to encrypt the binary tuple (i,j). The first row of this matrix forms the first share element that relates to the original value (i, j) while the second row forms the entry in the second share. Thus, the encryption function can be defined as: Jelij /e(*,j) = C£.= (4.2) fe2ij th where fekij — (sife, S2k, s^k, S4k)ij (fc = 1 or 2) is the k part of the encryption function output for the tuple (i,j) (kth share of the tuple (i,j)). It is obvious that given the size of the binary tuple (i,j), which is two bits and the size of the element /«,&„, which is four bits, (i,j) is expanded by an expansion factor of two (| = 2). The previously outlined procedure operates on a color image S using its bit-level representation. In this case the kth element of each binary tuple (i,j) is replaced in kth share image where A; = 1 or 2. If the size of the original input image is K\ x X2, the size of each of the share images is 2K\ x K2 due to the pixel expansion factor of m — 2. Since none of feuj equals, in value, to (i,j), no information will be revealed in the generated shares. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 49 Decryption Decryption is performed using the bit level representation of the share images, as follows: (0,0) if sTT.s21sir.s41 + sn.s5T.s31.s4T + sTT.siT.s31.s41 = 1 and feuj — fe2ij (0,1) if s1i.S2i.S3T.s47 + sn.s5T.siT.S4i + sTT.S2i.S3i.S4T= 1 and feuj — fe2ij JdxJelij) Je.2ij) (1.0) if S11.S21S3T.S41 + Sn.s5r.s31.s4T + sTT.S2T-s31.S41 = 1 and feuj ^ fe2ij (1.1) if SH.S21.S3T.S4T+SH.S2T.S3T-S41 + STT.S21.S31.S4T= 1 and feuj 7^ fe2ij where (i,j) denotes the recovered version of the binary tuple using feuj and fe2ij- This function takes the advantage of the arrangement of binary pixels in C,j sets. If the input of /d(-) is the rows of one of the matrices in Cy, based on the / (i,j). For example /^(OOll, 0011) = (0,0) because both of fd 's input are the rows of one of the matrices in Coo- After decryption of all of the permutated input image pixels, the inverse of the permutation step is performed on the decrypted image to perfectly recover the input image. Thus, it can be concluded that the proposed scheme can perfectly reconstruct the permutated input image with an expansion factor of m = 2. 4.1.2 Scheme B In order to address the above limitations of scheme A in the context of bandwidth constrained transmission, namely a pixel expansion of m = 2, an alternative method that achieves no pixel expansion (m = 1) is proposed in this part. Fig. (4.2) describes the pseudo-code description of the proposed scheme B. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 50 2 3 Input: S : Z -• Z , {Kx X K2) Output: Share 1, Share 2 and Reconstructed matrices Step 1. Permute the input image S —> Sp Step 2. Let (i,j) = (1,1) (starting point of the process) Step 3. For each of the color channels of the pixel at spatial position (i,j), produce a binary representation based on (2.4) Step 4. For each of these binary representations, compute Shi and Sh2 as it is mentioned in Table 4.1 Step 5. Replace decimal version of Shi and Sh2 in (i,j) spatial position of share 1 and share 2 matrices respectively Step 6. Based on Shi and Sh2, compute S&, as it is mentioned in Table 4.1 Step 7. Replace decimal version of S&. in (i,j) spatial position of the matrix that is represented as the reconstructed image matrix Step 8. Let i = i + 1 Step 9. If i > K\ go to step 10 else go to step 3 Step 10. Let j = j + l Step 11. If j > K2 go to step 12 else go to step 3 Step 12. Apply the inverse of the permutation Figure 4.2: The pseudo-code description of the proposed scheme B. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 51 Encryption The proposed scheme encrypts two original bits by mapping them to two other bits thus offering no pixel expansion (m = 1). By design the input color image (secret input) and the two shares are of the same size. It is easily understood that for mapping two bits, there are only four possible combinations, namely {00,01,10,11}. According to these combinations, four (4 x 4) encryption matrices are defined as follows: 0 10 1 0 0 0 0 0 110 110 0 Coo = Coi — 1111 1110 10 0 1 10 11 (4.4) 0 0 0 1 0 0 10 0 0 11 0 10 0 C10 = Cn = 0 111 10 0 0 110 1 10 10 where C^ is the basis matrix for encrypting the binary tuple (i,j) (i,j — 0 or 1). The encryption module randomly selects an integer indicator q £ {1,2,3,4} (since each of Cy- matrices has four rows and the dealer should choose one of them). Based on its outcome, th the dealer uses the q row of Cy- matrix (Cy-) to encrypt the tuple (i, j). The first two elements of Cy- form the first share entry which relates to (i,j) while the remaining two elements form the entry for the second share. Thus, the encryption function can be defined as: fe(i,j) = Cfj = [feuj, fe2ij] = [(/in, hu), (/i2i, /122)] (4.5) and Cfj = (hn,h12,h21,h22) (4.6) CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 52 th where f^uj and htz (k, t, z = 1 or 2) are the k part of the encryption function for the tuple (i,j) and zth element of tth share, respectively. Certain conditions and constraints are imposed during the encryption matrices row selection. For example, each of the 2- tuples (/in, ^12) and (/121, /122) must be different from the original binary tuple (i,j) since shares must be significantly different from the input image. As each row of encryption matrices has four elements, there are 24 = 16 possible choices for each row. However, the imposed constraints eliminate seven choices (forbidden combinations) from the Karnaugh map (the row and column that contain the binary tuple (i,j))- Thus, the permissible choices are based on the remaining nine elements as they are defined by the Karnaugh map logic. For example, assuming that the dealer considers replacing the rows of matrix Coo, the allowable options are restricted to the minterms marked in Fig. (4.3). Given the fact that in the proposed scheme there are four variables {/in, /112, /121, ^22}) the related 24 = 16 minterms are represented in a (4 x 4) Karnaugh map. Each of the rows in the defined encryption matrices can be considered as a four-tuple consisting of binary elements. In other words, each row is a four-bit string that can be represented in a (4 x 4) Karnaugh map logic. Decryption Similar to the encryption step, the proposed decryption function is also based on the Karnaugh map logic. Based on the rows of encryption matrices, the decoding function CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 53 hl2lh22 MO M4 M12 M8 M1 M5 M13 M9 M3 M7 M15 M11 M2 M8 M14 M10 Figure 4.3: A mapping of minterms on a Karnaugh map CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 54 Table 4.1: The summary of the notations in the proposed Karnaugh map based scheme B Input (secret) S = (si, s2, s3, Si, s5, s6, s7, ss) Shares Shi = (Vi2i, V341, V56i, Vrsi) and Sh2 = {Vu2, V342, V562, V782) reconstructed Sde - (MV12), fd(VM), fd(VB6), fdiVn)) can be defined as follows: (0,0) if hn.hu-h2i-h22 + hn.h12-h21.h22 +hn-hi2.h21.h22 + hn.h12-h21.h22 = 1 (0,1) if hn.h12.h21.h22 + hn.h12-h21.h22 +hn.hi2.h2i.h22 + hn-hi2.h2i.h22 = 1 , N Id{hll,hi2,fl21,h22) = < (4.7) (1,0) if hn-hu.h21.h22 + hn-h2.h21.h22 -\-hn-hi2.h2i-h22 + hn.h12.h21.h22 — 1 (1,1) if hn.h12.h21.h22 + hn.hn.h21.h22 •\-hn.h12.h21.h22 + hn-hi2.h2i.h22 = 1 where /i^ («, jf" = 1 or 2) means complement of /iy and (/in, /ii2,/i2i, ^22) = C1^-- The outcome of the expressions in (4.7) has a value of 1 if and only if the corresponding row which we built by concatenating elements from share 1 and share 2 belongs to a single row of a matrix in the set of matrices defined during the encryption process. To find a boolean function, minterms that produce binary 1 are added modulo 2. Boolean expressions in (4.7) correspond to functions that are determined by adding some specified minterms modulo 2. The logic expression for (i, j)-the output of the decoding process-with i, j = 0 or 1 is defined by adding the minterms corresponding to Cy rows. If these specified minterms are related to Cy rows, the decoding function will return (i,j). The notation used in scheme B for sharing of one byte (each of the S(;j)c in (2.4)) of the original input image is summarized in Table 4.1. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 55 As it can be seen 0< S < 255 (S is one byte consisting of eight bits), s, = 0 or 1 where 1< i < 8, Shj is jth share of S, Vt(t+1) = (^(4+1)1,14(4+1)2) (4.8) and Vt(t+l)j = fejstst+i = (Stje, S(t+l)je) (4-9) where t — 1,3,5 or 7 and j = 1 or 2 are used to indicate the elements of the shares and corresponding share respectively. The proposed scheme B perfectly reconstructs the permutated input image as it will be shown in the following theorem. Theorem 4.1 (Perfect reconstruction:) A secret (S), at the byte level, is perfectly recovered by fusing together the shares Shi and Sh2 produced by scheme B. Proof 4.1 Sde = (fd(V12i,V122)Jd(V341,V342),fd(V561,V562)Jd(V7S1,V782)) = \Jd\JeisiS2i Je2SiS2)i Jd\JeiS3S4, Je2S3S4/) /dVJeiS5«6> Je2S5Se)y Jd\JeiS7S$, Je^sjss)) = (fd(fe{si,S2)),fd{fe(s3, S4)), fd(fe(s5, S6)), fd(fe(s7, S8))) = (si,s2,s3,s4,s5,s6,s7,ss) = s Since all the pixel bytes (three bytes for each pixel) of the original input image can be reconstructed in the same manner, the proposed scheme satisfies the main characteristics of a secret sharing solution, namely perfect reconstruction. After decrypting all pixels, the inverse of the permutation matrix is used to provide the reconstructed outcome. Since the permutation step does not change the nature or the dimension of the decrypted image, it can be claimed that the scheme B is a sharing scheme with no pixel expansion that offers perfect reconstruction. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 56 As it was previously discussed in Chapter 1, secret sharing schemes are utilized to enhance security and protect visual content transmitted over un-trustworthy commu nication channels. Therefore, each of the two generated shares must not reveal any information which can be used to recover the original input image. In the proposed {2,2} schemes, an individual can decode the secret image only if possesses both shares. In other words, a single share by itself does not reveal any meaningful information about the original input image. For example, suppose fe(i,j) = [(/iiii^i2), (^21)^22)]- A VSS scheme is secure if and only if (hn,hx2) =j^ (i,j) and (h2i,h22) 7^ (hj)- The condition is satisfied because (hu,hi2, h2\,h22) — Cfj and none of binary tuples (hn,hi2) and (h2i,h22) are equal to (i,j) due to the encryption process. For example to encrypt (0,0), the dealer chooses one of Coo rows randomly. It is clear that none of 2-tuples (tin, h\2) and (/i2i, h22) is equal to (0,0). In order to compare bandwidth utilization and thus the size of the data that is sent through the communication channel, the proposed scheme B is compared with the solu tion introduced in [30]. In [30], in order to send a color image with size (K\ x K2) in a {2,2} scheme, two shares each with size (2K\ x 2K2) must be sent. In other words, to communicate visual information of size (Ki x K2), information with size (8K\ x K2) should be transmitted. In the proposed scheme B for transmitting a color image of size (K\ x K2), two shares each with size (K\ x K2) and two permutation matrices with sizes (K\ x Ki) and (K2 x K2) respectively should be transmitted. It is obvious that in scheme B the size of the transmitted data is less than [30]. 4.1.3 Input dependent and input independent solutions Both of the proposed schemes (schemes A and B) are readily applicable to Input Agnostic (IA) and Input Specific (IS) solutions. They can introduce different levels of security as IA and IS design frameworks have different characteristics [76]. The main parameter that controls both of the encryption and decryption procedures of the proposed schemes is CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 57 the number of bit planes that is used in representation of the image. For example in gray scale this number is 8, while in color images representation in RGB space this number is 8 for each of the spectral components. In an IA solution all of the decomposed bit levels of an image are consecutively processed i.e. this solution generates 8 bits shares for gray scale images and 8 bits for each color channel of color images. Since our proposed schemes can be applied on binary, gray scale and color images, they are IA solution. On the other hand, the IS schemes process the original input image in the specific format. It includes encryption, shares generation, stacking of the generated shares, de cryption and recovering of the original secret image. In IS solutions, the main assumption is that the secret input image is a color vector field and it leads to replacing the correlated image content with its share which are variant uncorrelated in spatial and spectral sense. In other words, in IS solutions the generated shares are color images however the original input image can be a binary, gray scale or color image. However, in IA schemes the type of generated shares depends on the type of the original input image i.e. binary, gray scale and color images have binary, gray scale and color shares respectively. The application of IS solutions is in the cases of processing the image with less rich bit-representation than that of the required in the IS input and it requires format conversion. Since our scheme performs on the bit level of the original input image, we can change the format of the shares easily. 4.2 Number Theory Based {&, n} SSVD Scheme A novel SSVD scheme suitable for enforcing the confidentiality of digital color images is proposed in this section. The scheme employs number theory concepts and the fi nite ring integer representation of the color image pixel values to generate shares in a {k, n} secret sharing scheme. The generated noise-like shares use the same finite ring integer representation (8 bits-per-pixel/channel) and have the same pixel dimensions as CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 58 the original image (pixel expansion factor of m = 1), making the shares suitable for use in digital imaging systems which offer fixed resources for image storage and transmission. Furthermore, the share generation algorithm can be implemented using 8-bit processing operations on a pixel-by-pixel basis, allowing for low-complexity hardware implementa tions. When k or more shares are polled, the decryption procedure is able to perfectly reconstruct the original image. The solution presented in this section formulates the problem using number theory concepts rather than bit level decomposition for the color image pixel values. Although the developed solution can be applied to any number defined over a finite ring, in this work we focus on solutions for Z256 = {0,1,2,..., 255} to comply with the integer number range typically used in color image processing [77]. The reminder of this section is organized as follows. The proposed SSVD scheme is presented in Sections 4.2.1 and 4.2.2. The design characteristics of the encryption and decryption functions are analyzed in detail. In Section 4.2.3, the number generation algorithm utilized in the proposed solution is described. Section 4.2.4 discusses the necessary implementation details when dealing with real image input, as well as the security analysis of the proposed scheme. Comparison in terms of optimality and applying number theory concepts in some other secret sharing schemes are also discussed in this section. 4.2.1 Encryption of the Permuted Image The general secret sharing solution for the color input in the proposed framework is depicted in Fig. 4.4. Having obtained the permuted image Sp of the original input, a secret sharing scheme operating at the pixel level of Sp's spectral planes is used. The solution relies on number theory principles and concepts (see Chapter 2 for details). The process begins by considering a set of integer numbers: X = {xi\xieZ,Xi^l,l Compression/ {^^•••>W^V,>---A,,}J {P.JM- Share Generation Si {SySyV M Encryption/ {SHp, Slip,..., Slip} I •zPermutatio n yj Share Generation Share Generation • •\X = {xl,x2,...,xn} Color Channel Separation Generate Generate X {fl.ft ?q.jl.l)> • Number Generation Figure 4.4: System level diagram of the proposed number theory based SSVD scheme of generality, we define the elements of a subset of participants with Pp — {i™, i^,..., i™}. We complete the introduction of supporting elements by building x's sub-sets with car dinality t as Xt = {xi\ii € Pt™} and X* C %, 1 < i < n, in other words by introducing a n one-to-one correspondence between sets Pt and Xt- The recursive algorithm discussed in Section 4.2.3 is used to generate a set of integer values x and subsets xt with the following property 1 t>k gcd(xt) (4.11) other t < k where gcd(-) stands for the greatest common divisor. Let us assume that numbers x with the property in (4.11) is satisfied. The value of th the pixel located at spatial position (i, j) at the c spectral plane Spc of the permuted image is to be shared following a {k, n} secret sharing algorithm. For the Ith participant with 1 < I < n, the share value is generated as follows: l sh p(i,j) = [xi • sPc(i,j)] mod 256 (4.12) CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 60 Obviously, repetitive application of the secret sharing rule to each spatial position (i,j), i = 1,2,... ,Ki, j — 1,2, ...,K2 and each spectral plane c = 1,2,3 results in the th 2 3 construction of the I image share defined as SHP : Z —•> Z with spatial dimension (Ki x K2) and color pixel values defined as: l l l l T SH P(i,j) = [sh Pl(i,j),sh P2(iJ),sh P3(iJ)} (4.13) Simple visual inspection of the share generation formula in (4.12) indicates that the Ith l shared value sh Pc(i,j) is an integer value between 0 and 255. In other words, both the spatial dimensions and the spectral representation of the Ith share SHp are identical to those of the original S and permuted Sp input image. Thus, it can be claimed that the proposed secret sharing scheme affords no expansion in size of the generated shares compared to the original input image. The pseudocode description of the encryption pro cedure is provided in Fig. 4.5. It is important to note here that the utilized terminologies in Fig. 4.5 will be described in detail in Section 4.2.3. The permutation matrices are shared in a similar manner which will be demonstrated in Section 4.2.4. 4.2.2 Decryption of the Permuted Image The main function of the decryption module is to recover the permuted image Sp from the available shares. Since any {k, n} scheme requires that a set of k or more participants can recover the input image, we start the decryption process by considering the cardinality t of the set Pp. Let us consider the case for k < t < n (a qualified subset of participants). Because of (4.11), the Bezout's lemma suggests that 3 s = {s;|V?. ^2i^pn SiXi = 1. Based on the one-to-one correspondence between the generated share n images SHP (1 < I < n) and the complete participant index set P , consider a subset of shares SH™ = {SHP|Vi € P™} which want to reconstruct the input. Having the knowledge of Sj (V i € P"), allows the participants in the subset P™ to put their shares CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 61 Input: k, n and a {K\ x K2) color image S Output: n visual shares SHP (1 < i < n) Step 1. Generate Pi and P2 where 1 2 Kl Pi = [e , e ,..., e ] (P2 can be constructed similarly) Step 2. Permute the input image channels SPc = (Pj x Sc) x P2 c = 1,2,3 a n Step 3. Compute matrix look-up table A-nxC(n,k-i) = [ Uj) ] 1 ^ * ^ > 1 < 3 < C(n, k-l) Step 4. Generate a* = Y^={k~l) p}ij) 2 3 l l ] Step 5. Generate shares SHp : Z —> Z , SH P(i,j) = [sh p1(i,j),shp2(i,j),shp3(i,j)}' l where sh Pc(i,j) — [xi • spc(i,j)] mod 256 1 < I < n, 1 < i < Kx and 1 < j < K2 Figure 4.5: Pseudocode description of the encryption phase of the proposed number theory based SSVD scheme. together and recover the input image as follows: SPr = [ Y, «iSH*p] mod 256 iepp — [ Y2 SiXiSp] mod 256 iePp = [^ SiXj]Sp mod 256 = 1 • SP mod 256 = SP (4.14) The existence of the inverse permutation matrices suggests that the input color image S can be perfectly recovered as follows 1 1 (Pj" X SP«) X P2 CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 62 1 1 = (P^ x SP) x P2 1 1 = P^ x ((Px x S) x P2) x P^ = IxSxI = S (4.15) For the case 1 < t < k - 1, according to (4.11), gcdfe) ^ 1 and it is not possible to define a set s such that Y,iePn sixi = 1 ^d Spn can not be constructed and as a result Sp can not be recovered. The pseudocode description of the decryption procedure is provided in Fig. 4.6. Input: n generated shares SHP, Pi, P2 and x; (1 < i < n) Output: Recovered image S Step 1. For t>k, compute s, (i G P") according to the extended Euclidean algorithm (see Chapter 2 for details) satisfying J2iePn sixi = 1 n Step 2. Reconstruct the permuted image Spn = J2ieP SjSHP mod 256 Step 3. Recover the input image S = (Pf1 x Spn) x P^1 Figure 4.6: Pseudocode description of the decryption phase of the proposed number theory based SSVD scheme. It is obvious that the proposed system depends critically on the availability of the values Xi and Si needed during the encryption and decryption stages. In the sequence, a novel solution for the generation of these numbers will be introduced, analyzed and commented upon. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 63 4.2.3 Number Generation Algorithm The mathematical framework for the generation of the set x used in the development of the proposed scheme is presented in this part. The algorithmic solution which we are planning to introduce satisfies equation (4.11). In the proposed {k,n} secret sharing scheme, the number of necessary prime factors for generating each xt (1 < i < n) depends on the values of the k and n. Let us assume that Xi € x with Xi having prime factors selected from the C(n,k— 1) candidates. Further to that, assume the C(n, k — 1) random prime factors needed to generate Xi are defined as: {pi,P2, • • • ,Pc(n,k-i}}- We introduce a matrix A with dimensions (n x C(n, k — 1)) and its entries are defined as: A„xC(n,fc-l) = [a^j"\ (4-16) where l C{n,k—1) (fc,n) Xi= n p?ij) (4-18) Having defined A as a look up table matrix, the greatest common divisor property (4.11) suggests that A should be constructed as follows: 1. Considering each column of A separately, any subset of the row elements with k or more elements should contain at least one 'zero' element or equivalently at most (k — 1) 'one' elements. Vk < t < n and VI < j < C(n, k - 1), 3i e P" such that ag"} = 0 CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 64 The condition implies that Vt > k, there is no column for which pj is a common factor of Xt, thus ensuring that gcd(x<) = 1. 2. For any arbitrary set of t < k rows of A, there exists a column j with 1 < j < C(n, k — 1) within this set of rows such that all of its elements are equal to 'one'. Vt < k, Vi € If, 3jl This condition implies that W < k, there exists a prime factor pj which is a common factor of Xt, thus implying that gcd(xt) > Pj- We next formulate our algorithmic framework and present a proposition for the recursive construction of matrix A. Proposition 4.1 The matrix representation A for the numbers Xi needed in our {k,n} scheme can be obtained recursively as follows : -lxC(n-l,k-l) k-n-lxC(n-l,k-2) ^nxC(n,fc-l) = (4.19) OlxC(n-l,k-l) •^lxC(n-l,fc-2) where 0ixc(n-i,fc-i) and lixC(n-\,k-2) are row vectors composed ofC(n — 1, k — l) 'zero' elements and C(n — l,k — 2) 'one' elements respectively. The recursive procedure's initial condition is defined as: Aixc(»,i) = h where I, is the identity matrix with i rows for r iT 2 Proof: See Appendix A. Proposition 4.1 is used to recursively generate the needed numbers in a cost effec tive manner. To facilitate the understanding of the proposed algorithm, an example is included in Appendix B. It is a useful addition to this section as it provides a simple and easy way to follow the proposed solution. By construction, matrix A must contain C(n,k — 1) columns . It is equal to the number of ways that a binary vector of dimen sionality n can be constructed such that any subset of (k — 1) or less of its elements is a CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 65 set of 'ones' and any subset of k or more of its elements contain at least a 'zero' element. The analytical proof of the claim is summarized in the following proposition: Proposition 4.2 The exact number of the columns in matrix A is equal to C(n, k — 1). Proof: See Appendix A. Finally, it should be noted that the recursive number generation algorithm summa rized in Proposition 4.1 is deterministic in nature and it has to be executed only once for a given {k, n} secret sharing scheme. Since % should be uniquely determined for each secret sharing solution, the candidate prime factors Pj should be varied from one application to another. 4.2.4 Implementational Issues and Analysis Having discussed all of the necessary components of the proposed SSVD solution, in this part we focus on implementational issues. In particular, we discuss in detail share generation using 8-bit processors, the sharing of the permutation matrices using the proposed number theory based secret sharing scheme, we compare the proposed scheme against other number theory based solutions, we provide a cryptanalytic evaluation of it, we evaluate it in a {2,2} SSVD application scenario, and finally analyze it in terms of its pixel expansion and perfect reconstruction properties. On Implementation Using 8-bit Processors The encryption phase of the proposed algorithm (4.12) involves a simple multiplication modulo 256 of the individual pixel values by the values Xj. Hence, the output values are represented in the same 8-bit finite ring as the input pixels. Hardware implementations of binary multiplication generally involve shift-add operations and generate a series of partial products which must be summed [78]. Since the modulo 256 output represents the lower-order 8 bits of the complete product, the net effect is that only the first 8 shift-add CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 66 operations are required, and consequently only the lower-order 8 bits of Xi are required to complete the operation. Ultimately, the entire share generation operation (4.12) may be performed using an 8-bit processing pipeline on individual pixels, making it highly memory and processing efficient and suitable for implementation using simple graphics processors. In comparison, the solution presented in [12], while offering visual shares with perfect reconstruction and possible pixel expansion m < 1, uses a complex operator on a block of pixels, requiring significantly greater computational resources. The pixel expansion is inversely proportional to the block size, thus only offering the benefit of smaller share size when the processing blocks are made sufficiently large. On Sharing of Permutation Matrices The proposed secret sharing scheme is applied to the compressed permutation matrices Pi and P2. In our proposal, Pi and P2 can be shared in a similar manner. Let: P\hl = Xi • Pi mod Kx (4.20) th be the i share of Pi. The shares P^2 can be calculated in a similar manner. For t > k, based on the constructed Xt and the Bezout's lemma, 3s = {si|Vi € F™,Sj € Z} such that YlieP" sixi = 1 and therefore Pi = ^P^modKi = ^T sixiP\ m°d A'l iepp = Pi • ( Yl SiXi) m0d Kl ieP? = Pi (4.21) In other words, the qualified subsets of participants can perfectly recover the permutation matrices and use them to decrypt the input. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 67 On Number Theory and Secret Sharing In a number of previously proposed secret sharing solutions, such as [79] and [80], number theory concepts are utilized for share generation and decryption. Since they operate on an integer value and our proposed SSVD scheme is also applied on the pixel levels of the original input image which are integer numbers, a short discussion on the schemes of [79] and [80] and their properties is provided below. In [79], a number theory based solution for sharing an integer value a0 € Z with 0 < ao < p using a set of integers {p, mi < rri2 < • • • < mn} € Z was proposed. Based on a number of conditions imposed on the p and rtii (1 < i < n), for example: nLi mi > Plii-i1 "in-»+i, gcd(mj, m,j) = 1, Vi ^ j, gcd(p, mi) = 1 VI < i < n, the secret integer input ao was recovered using k produced shares by invoking the Chinese remainder polynomial. However, it should be noted that the conditions on {p, nix < mi < ... < mn} used in the generation of the n shares implies that some of the integer values m* are greater than the value p used to bound from above the secret a0- According to the proposed solution in [79], the ith share is computed in GF{rrii) (a finite field with mi elements) where 1 < i < n. In other words, the shares are allowed to expand in size compared to the original input ao. This condition renders the scheme of [79] un-suitable for sharing of pixel values of the color images considered in this application. According to the proposed method in [80], to share ao G GF(po), a set of prime numbers {po < p\ < pi < ... < pn} with some specified properties is required. Using A; or more shares, the input secret can be perfectly recovered. According to their algorithm, the secret (ao) is an element of GF(po) while the ith share (1 < i < n) is an element of GF(pi) where pi > po- Therefore, there is expansion in the size of the generated shares compared to the input secret ao- Similar to [79], the proposed secret sharing scheme in [80] is not appropriate for transmission of color images over bandwidth limited communication channels. Compared to these methodologies, the main contribution of our solution is the devel- CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 68 opment of a SSVD scheme without pixel expansion while satisfying perfect reconstruction property. According to (4.13), both of the secret and share are elements of Z^m and it can be concluded that there is no expansion in each of the pixels of the shares compared to their corresponding pixels in the original input image. On Security Analysis Simple inspection of (4.12) and (4.13) indicates that the security of the proposed solution depends on the security of the values Xi used to generate the ith share at the pixel level. Thus, a procedure to protect Xi values against unauthorized access is needed. To keep with the theme of the proposal, a secret sharing scheme is utilized for this task. By construction, a simpler secret sharing scheme can be used. In this work, we employ the bit-level based secret sharing scheme of [30] (see Chapter 3 for details) to share the xt values. Using the {k, n} bit-level solution of [30], we can prohibit individual share holders from acquiring the values Xi without the required coalition of k or more participants. To effectively apply the scheme of [30], we need to know values k and n, which are readily available, as well as the highest possible value xmax that the x, might take in order to determine the number of bits required to represent them. To compute this value, we require knowledge of how many candidate prime factors can be used in the generation of x^ Using the definition of matrix A in Section 4.2.3, this corresponds to calculate the number of non-zero elements in each row of A. The following proposition provides our result. Proposition 4.3 The number of non-zero elements in each of the rows of matrix A is equal to C(n — 1, k — 2) Proof: See Appendix A. Thus, using Proposition 4.3 and the definition of x{ in (4.18), it can be claimed that C(n,fc-1) aw= II Pi (4-22) i=C(n-l,k-2)+l CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 69 where the prime factors v% are in ascending order by magnitude, relative to the index i. In other words, zmax is calculated as the product of the largest C(n—1, k—2) candidate prime factors for a {k,n} secret sharing scheme. Hence, if a known upper bound of candidate prime factors pmax is provided, xmax can be calculated and #j is shared using [30]. However, we note that the security of the values x% is also dependent on the number of possible values that they might assume being large enough to protect against an exhaustive search attack. Given the fact that attackers know k, n, and pmax> they can search through all the possible choices of C(n, k — 1) candidate prime factors to calculate the values x, using A (which the attacker also has due to its deterministic nature). Gauss- Legendre [81] dictates that for large enough pmax, the number of prime factors which is less than or equal to pmax is asymptotically equal to m Pmax Thus, it is possible to choose the needed C(n, k — 1) candidate prime factors from 7 in C(L7j,C(n,k — 1)) possible ways. Given pmax> and consequently 7, the number of possible Xi available to be used in our scheme can be defined as: 6 = C([7\, C(n, k - 1)) • (C(n, k - 1))! • n = _ ^ _ • n (4.24) In Fig. 4.7, log2(5) is shown as a function of 7, representing the binary equivalent cardinality of the space of possible values of Xj as a security measure equivalent to a binary key-space. As an example, in a {2,4} secret sharing scheme, if an equivalent of 32 bits of security are required for the possible values of x^, according to Fig. 4.7 and (4.23), pmax ~ 941 with xmax ~ 819115093. Using [30] to share x,, m = 4 in this case, resulting in n • 4 • [log2 xmax] = 480 bits required to represent the shares of Xj—a value insignificant compared to the size of the typical image input and shares. Here we see that in utilizing [30] to share Xj, the expansion factor m = 4 is tolerable. In this part, we focus on the weaknesses of the proposed SSVD scheme from a security analysis point of view and recommend a number of solutions to overcome these problems. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 70 60 (k,n)=(2,2) j j (k,n)=(2,3) i 50 _, — - -*• to" i~ - 1 •—' " """ " ~30 " ;r —.•,— o r - «••—" - <* t—* - 20 "* JT* if ^,,-r*- !••• * 10 0* '• ' ' ' ' 0 100 200 300 400 500 7 Figure 4.7: The log2 of the number of possible values of Xi (6) as a function of 7, indicating the security of Xi against exhaustive search attack. It should be mentioned that the main purpose of the proposed number theory based framework is to propose a {k, n} SSVD scheme with no expansion (m = 1) while achieving perfect reconstruction and its cryptanalytic evaluation is out of the main scope of this work and will be considered as a future research work in this area. The main shortcoming of the proposed scheme arises from the limited size of ring (.Z256) m which all the encryption and decryption steps are taken place. It reduces the number of possible choices for an attacker to guess the exact value of Xj and s$. However, any increase in the size of the utilized ring, affect the expansion factor m. It means that there is a tradeoff between the size of the operation ring and the generated visual shares. If the security of the generated shares should be preserved, according to the RGB representation of color images, size of the operation ring can be changed based on the application. As a solution, the original input image can be divided into blocks of h pixels (h < KiK2) to perform the share generation and decryption procedures in Z224xh. It should be mentioned that every h pixels in one block can be considered as a single secret value in Z2-axh and the generated shares are also h pixels. Therefore, there is no expansion in the size of the generated shares compared to the original input image. If CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 71 there is no limitation in the attributed bandwidth, different pixel values, based on their spatial positions, can be shared using various sets of x- However, the generated shares should store much more information which results in significant overhead. Another problem regarding the proposed number theory based scheme comes from the entropy reduction of the input image during the encryption procedure. It can happen due to map of different pixel values to a same value. For example all of the shares of a pixel with zero value are zero. As a solution, the input image can be re-scaled to a maximum of 254 and then increased by one. However, it affects the perfect recovery of the input image. Finally, some unqualified subsets of participants may recover the secret value. Ac cording to (4.11), gcd(xt) / 1 for t < k. Suppose that gcdxt = M sucn that Tn^pnSiXi = \x and Si G Z. Based on (4.11), for some unqualified subsets of x, \i should be an odd in teger else all of Xi (1 < i < n) are even and gcdxt ^ 1 for t > k. Since \x is odd, it is invertible (^_1) in Z256 or in any finite rings of integers with a power of two elements. Employing pTx during the decryption phase, the input secret image can be reconstructed as follows: Spp = /x_1[^ SjSHJp] mod 256 iePp = IJT1[ Y2 SiXiSp] mod 256 = /i-1[ y^ s^jSp mod 256 = n~~lfx • Sp mod 256 = SP (4.25) As a recommended solution to this problem, the hash value of gcd(xt) — M can be calculated and compared against the hash value of 1 to identify any unqualified subset of participants. Also, any SSVD scheme may be faced by different types of attacks from malicious adversaries who wish to deviate from the sharing policy in any number CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 72 of ways, or from participants using the so-called methods of "cheating". The problem of developing schemes immune to these attacks and cheating is beyond the scope of this section; these are considered in [82]. Based on the preceding discussion, it can be concluded that the proposed scheme is not perfect secure from an information theoretic point of view. However, adding computational complexity to the system can make it computationally secure which was considered in detail in [83]. On {2,2} SSVD Scheme Most of the previous works in the area of SSVD differentiate between {2,2} and {k, n} schemes [30] since the {2,2} solution is viewed as the basic solution for the more general case of the {k, n\ SSVD problem. In many cases, practical implementation of the {2, 2} application scenario offers reduced complexity compared to the general {k,n} case. For example, the bit-level based approach in [30] can operate on individual pixels across shares, rather than the block based operation required in the {k, n} case. For the scheme proposed in this section, the {2,2} case results in the size of the prime factor look up table A reducing to (2 x 2) and only two prime factors are needed. Compared to the general {k, n} secret sharing scheme, no additional recursive operation is required to generate A. It should be point out that the complexity of finding the Si coefficients using the extended Euclidian algorithm is reduced for a {2,2} scheme compared to the general {k, n} case. Also, S is reduced to 2 • (|_7_|) • (LTJ — 1) and f°r 2 large values of pmax, 5 « 2 • (l/yj) - As a result, to achieve a high level of security, only large values for pmax should be considered. On the Optimality of the Secret Sharing Scheme As discussed before, in SSVD schemes, pixel expansion and perfect reconstruction are considered important. Since the size of the shares and that of the reconstructed image is identical to that of the input, our proposed scheme has an expansion factor of m = 1. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 73 To evaluate perfect reconstruction, a different measure is needed, namely the so-called contrast factor. Let us consider the reconstructed image S built by a coalition of P" shares, then the contrast factor ej», with 0 < epn < 1, 1 < i < n can be defined as follows: 3 .. ELiE^iEJL i|Sc(i,j)-Se(t,j)| £P = l (426) " 3x256x(X1xtf2) ' where K\, Ki are the spatial dimensions of the input and reconstructed image, c is the color channel and |.| computes the absolute value {L\ norm). The greater the value of epn, the better the quality of the image produced using shares of P™. The pixel expansion factor (m) and the contrast factor (e) have been used before to evaluate SSVD schemes. For example, the authors in [84] have used them to evaluate the performance of {2,n} SSVD schemes. In their analysis, using two parameters, namely the the total number of shares (n) and the pixel expansion (m), they have defined the class of secret sharing schemes named i/(n, m) and defined two types of optimality. In this work, we extend the criteria of [84] to the general {k,n} case. Thus, given k,n and the pixel expansion m, we define: 1. A type I optimal secret sharing scheme in class v(n, m) if it belongs to v>(n, m) and has maximum e = ^rp^ 12pncPn£P% over v{n,m). 2. A type II optimal secret sharing scheme in class v(n, m) if it belongs to u(n, m) and has maximum emin = minp«cpr» ePr» over v(n, m). where Pn is the participant index set. Since Pg denotes an arbitrary subset of Pn with cardinality k and there are C(n, k) subsets of Pn with cardinality k, Pg C P™ describes all unique subsets of P" with k elements. The proposed scheme perfectly recovers the original image when k or more shares are used. Thus, for t>k, epn = 1 using both type I and type II criteria. It is important to note here that for k = 2 our scheme achieves e = £mm = 1 > \ outperforming the proposed scheme in [84]. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 74 Table 4.2: Summary of schemes implemented for comparison of experimental results Reference Pixel expansion Perfect reconstruction Karnaugh map based scheme {2,2} m = 1 • Number theory based scheme {k, n} 171=1 / [30] {k,n} m> 1 / m J I * [12] {k,n} '" — k ' block size / 4.3 Experimental Results Experimental results are provided in this section to verify the properties of the proposed Karnaugh map based and number theory based SSVD schemes and to compare them with other solutions in the literature. The performance of the schemes is judged according to: i) the security of the shares—i.e., that they do not reveal significant information related to the input data; ii) the pixel expansion factor m; and iii) the quality of the reconstructed image. The comparison between the input and reconstructed images is performed computationally. The proposed schemes are compared with the solutions in [30] and [12]; a summary of the comparisons is presented in Table 4.2. In all cases, RGB, 8-bit per channel input test images are utilized. In most cases, the schemes are implemented in {2,2} or {2,3} configurations, representing the most basic operating scenarios. The proposed schemes are tested using a variety of input images (i.e., face, natural outdoor scenery, surveillance frame, and scanned document) in order to test their efficacy and consistent performance in a variety of application scenarios. The effect of the permutation matrices in our proposed solutions is also examined at the end of this section. Figs. 4.8 and 4.9 depict the result of applying the Karnaugh map based schemes A and B on the same input image (Fig. 4.8(a)). Visual inspection of the generated shares verifies that the noise like generated shares reveal no information regarding the CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 75 (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 4.8: The proposed Karnaugh map based scheme A (tested for a color image) {2,2}. input secret image i.e. each participant can not independently decode the secret based on his/her assigned share. As it was expected from the theoretical description of the proposed schemes A and B, the original input image can be perfectly recovered by the coalition of the shares. Comparing the size of the visual shares in Figs. 4.8 and 4.9 indicates that the proposed scheme B can be considered as a cost effective candidate compared to the scheme A from the point of view of bandwidth constraints. Figs. 4.10 and 4.11 show the result of implementing the proposed number theory (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 4.9: The proposed Karnaugh map based scheme B (tested for a color image) {2,2}. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 76 (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 4.10: The proposed number theory based method (tested for a color image) {2,2}. based scheme in {2, 2} and {2,3} scenarios, respectively. Fig. 4.10(a) shows the original input image, and Figs. 4.10(b) and 4.10(c) show the two generated shares in the {2,2} operating scenario. As it can be seen, the generated shares have the same size as the original image, demonstrating the m = 1 expansion factor. The shares also do not reveal any visual data regarding the original input. In Fig. 4.10(d), the image is perfectly reconstructed after polling both the generated shares. Similarly, for the {2,3} scenario, the three generated shares in Figs. 4.11(b) to 4.11(d) are the same size as the original and reveal no image details. Figs. 4.11(e) to 4.11(h) show perfect reconstruction under the four possible scenarios of qualified participants polling their shares. In Fig. 4.12, the results are shown for the solution in [12] in a {2,2} VSS scheme and block size of 4. As it can be seen, the input image can be perfectly recovered from the generated shares. The expansion factor is equal to \ + \ = |, however, the complex algorithm and block processing operation result in significant computational overhead. These factors may be mitigated by decreasing the block size, but for a block size of 2, the expansion factor is | + | = 1, making our proposed approach more attractive due to its computational simplicity. The results from the scheme in [30] in the {2, 2} scenario are shown in Fig. 4.13. As it is depicted in Fig. 4.13(d), the image can be perfectly reconstructed. However, the generated shares (Figs. 4.13(b) and 4.13(c)) are twice the size of the original image in both dimensions, for a pixel expansion factor of m — 4. Both of our proposed frameworks CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 77 (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 4.11: The proposed number theory based method (tested for a color image) {2,3}. (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 4.12: The method proposed by Bai {2,2} block size= 4 (tested for a color image). CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 78 (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 4.13: The method proposed by Lukac and Plataniotis (tested for a color image) {2,2}. are able to achieve m = 1, in a simpler manner compared to [30]. The proposed number theory based scheme is applied on different natural color images in the {2,3} scenario to confirm its performance on images with different pixel distribu tions, such as a face image (Fig. 4.14), a natural outdoor image (Fig. 4.15), a surveillance frame image (Fig. 4.16), and a scanned document (Fig. 4.17). In all cases, it can be seen that: i) the shares reveal no image details; ii) the shares are the same size as the original input image, giving a pixel expansion of m = 1; and iii) the original input is perfectly reconstructed upon polling a qualified subset of shares. We see that the performance of the proposed scheme is completely independent of the input. It is important to note CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 79 (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 4.14: The proposed number theory based method (tested for a face image) {2,3}. here that the same performance can be reported by applying the Karnaugh map based scheme B in a {2,2} application scenario. Finally, in Fig. 4.18 we show the result of the proposed share generation procedure in the Karnaugh map based SSVD scheme B, with and without the use of the permutation matrices. Similar to the previous experimental results, the generated shares with the use of the permutation matrices (Figs. 4.18(b) and 4.18(c)), reveal no image details. However, as it is shown in Figs. 4.18(f) and 4.18(g), without the use of the permutation matrices, some of the original image structure is revealed in the shares. This demonstrates CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 80 •&!^*y&ft:^, z^;mx;w^ mM^&^^K ^;^«^^ ^m&$&im ?m^?!>m&>6 &i.&i*:Z^ful--& &v'?&r$%®m-i. ^^;^O.m; .^*- -_ (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 4.15: The proposed number theory based method (tested for an outdoor image) {2,3}. STTB QK^ ,'.. ••J.VJ( •*. .. . '. •• ',• .. t .'. 1 ' '-I ' .' / - • • - ' - i* • • *^v — • c -•* -_ •* • * (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 4.16: The proposed number theory based method (tested for a surveillance frame image) {2,3}. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 81 (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 4.17: The proposed number theory based method (tested for a scanned document) {2,3}. CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 82 •• .- •• ".. ?* »**-.- 4^a*^ $.«!2i.1: (a) Original image (b) Share 1 (with permu- (c) Share 2 (with permu- (d) Reconstructed image tation) tation) (e) Original image (f) Share 1 (without per- (g) Share 2 (without per- (h) Reconstructed image mutation) mutation) Figure 4.18: An example of the effect of permutation in the proposed Karnaugh map based scheme B for the {2,2} scenario. the required use of the permutation operation in order to reversibly destroy the spatial correlation within the image. It should be noted that in both cases the input image can be perfectly recovered and there is no expansion in the size of the generated shares (m = l). 4.4 Chapter Summary This chapter has proposed two SSVD frameworks with no pixel expansion factor for color images while achieving the perfect reconstruction of the input image. The first section has presented two {2,2} Karnaugh map based SSVD solutions with different design objectives which apply directly on the bit planes of the input image. They can be considered as the basic solutions of the generic {k, n} SSVD scheme. The second section has proposed a number theory based {k, n} SSVD scheme. Based on the application, both CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 83 of the contributed schemes can be considered as cost-effective candidates for transmission of color images in digital imaging systems which offer fixed resources for image storage and transmission. Experimental results through a variety of sample images have proved the effectiveness of the proposed schemes. The main steps and features of each of the proposed SSVD scheme can be summarized as follows: • Karnaugh map based schemes: — They operate directly on the bit plane of the original input image — They achieve perfect reconstruction and offer a flexible pixel expansion based on the application — Their main steps can be demonstrated as follows: * Decompose the permuted image at the bit-level * Encrypt each binary tuple of the decomposed image * Decrypt the generated visual shares by taking the advantage of binary pixels arrangement in the basis matrices • Number theory based scheme: — It operates directly on the pixel levels of the original input image — It achieves perfect reconstruction and achieves no pixel expansion — Based on the application, it is a cost-effective candidate for transmission of color images in digital imaging systems which offer fixed resources for image storage and transmission — Its main steps can be summarized as follows: * Generate x satisfying (4.11) using the matrix look-up table (4.19) * Encrypt the input image according to (4.12) CHAPTER 4. SSVD SCHEMES WITH NO EXPANSION 84 * Decrypt the input image from a qualified subset of shares according to (4.14) Chapter 5 SSVD Schemes With Reduced Expansion This chapter proposes SSVD schemes with reduced expansion factor while satisfying per fect reconstruction property. Two {k, n} SSVD frameworks with different functionalities and requirements are demonstrated in detail. The first proposed scheme utilizes Maxi mum distance Separable (MDS) codes principles while the second approach is performed by partitioning the input image. Comparisons and experimental results included in this chapter indicate that the proposed algorithms compare very favorably against competing solutions when they come to pixel expansion. 5.1 Algebraic SSVD Scheme For Color Images As it was previously mentioned in Chapter 1, for bandwidth constrained communica tion channels, it is desirable to keep the expansion factor m as small as possible. For color images, reducing pixel expansion is of paramount importance since they occupy more space and consume more bandwidth compared to grayscale and binary images. This section introduces a novel, cost effective SSVD scheme suitable for color image transmission through bandwidth limited communication channels. Unlike previously 85 CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 86 {SHp,SH .. .,SITp Permutation ^ Encryption Decryption T/l V\ Pi^l J Figure 5.1: The system level diagram of the proposed algebraic SSVD scheme proposed schemes, the solution offers perfect reconstruction while producing shares with size smaller than that of the input image. The proposed {k,n} SSVD scheme in this section performs on each k consecutive pixels of the input image independently. The secret sharing method of [57] also utilizes the pixel values of a group of k pixels to develop a {k,n} SSVD scheme thus reducing the pixel expansion factor to (|). It employs a polynomial secret sharing solution to share pixels of the input image. However, performing Lagrange interpolation in a finite field with 251 elements (F25i) leads to visual quality reduction in the reconstructed input image. To perfectly recover the original input image, an additional share size expansion factor should be introduced. The complexity of our proposed method is smaller than that of [57] since a matrix inversion is employed instead of Lagrannge interpolation during the decryption stage. The MDS codes principles utilized in our proposed design allows for the introduction of a flexible framework that compares favorably to competing solutions as it can be seen by examining the experimental results included in this chapter. Fig. 5.1 depicts the sequence of the operations in the proposed framework. The rest of this section is organized as follows. Sections 5.1.1 and 5.1.2 describe the development of the proposed algorithm based on MDS codes in terms of its encryption and decryption procedures. Motivations and design characteristics are discussed in detail. Finally, the proposed scheme is compared against the presented solution in [12] from the point of view of pixel expansion. CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 87 5.1.1 Encryption The encryption module of the proposed scheme is described in this section. On the encryption side (dealer side), the following algorithm is applied to Sp to generate n shares of n participants. At first, matrix Sp is reshaped to a new matrix of dimension (r^sT^l x k)- We denote this new matrix afterwards by Sp which is set up as follows: Sp(7*, 5*) = SP(7, 8) for 1 < i < KXK2 7* = (i - 1 divk) + 1, 6* = (i - 1 modk) + 1 7 = (i - 1 divK2) + l, 6 = (i-lmodK2) + 1 (5.1) SP(7*,5*)=r for KlK2 + l A = S*P x G (5.2) A is a matrix of dimension ([^r2] xn) and G is the generator matrix of an [n, k, n—k+1] MDS code over GF(q), where 2 ifn-l To produce the shares, we use the columns of two matrices Amocj and AdiV which are defined below: A-mod — A mod 256 Ad%v — Adw256 (5.4) CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 88 th th Shares of i participant (1 < i < n) are Am i SB. p = [Amod(ci),Adiv(ci)} (5.5) Fig. 5.2 demonstrates the pseudo-code description of the encryption phase of the pro posed scheme. Input: k, n, a (K\ x K-i) color image S and the generator matrix of a [n, k, n — k + 1] MDS code Output: n visual shares SHP (1 < i < n) Step 1. Permute the input image S —> Sp Step 2. Convert Sp to S*P according to (5.1) Step 3. Encode Sp by A = Sp x G Step 4. Let Amod — A mod 256 Adiv = A div 256 Step 5. Let SHp = [Arood(cj), Adiv(ci)} Figure 5.2: Pseudocode description of the encryption phase of the proposed algebraic SSVD scheme. 5.1.2 Decryption The decryption step of the proposed SSVD scheme is considered in this section. According to the definition of the {k, n} scheme, every group of k or more participants can recover the secret image. Suppose participants ii,...,ik where {ii,...,ik} C {l,...,n} are gathered. Without loss of generality, we assume i\ < %i < ... < ik- Therefore, for 1 < J' < k, Adiv{cij) and Amod(cj3.) are available. From (5.4), the columns ii,...,ik of CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 89 matrix A can be calculated as follows: A(CJ.) = 25QAdiv(ci:j)+Amoci,(cij) where 1 < j < k. Prom (5.2), S* can be obtained as follows: Sp = A(CJJ, ... ,c.jt,... ,Cik) x (G(CJX, ... ,Cit,..., Cik)j (5-6) where 1 < t < k. It should be noted that the second term of the right side of (5.6) is the inverse of a matrix composed of the columns c^,..., qfc of G. Since the rank of G is k and G^,..., QJ is full rank for any sequence of ii,... ,ik < n, the inverse of the above matrix always exists. Any subset of participants with fc — 1 or less elements can not gain any information about the secret input image because the inverse of the matrix in equation (5.6) does not exist. After determining Sp, the permuted image can be recovered as follows: SP(i,j) = S*PCy,S) (5.7) where -y=((K2(i-l)+j-l)divk) + l, (5.8) 5 = {{K2{i - 1) + j - 1)modk) + 1, (5.9) I < i < Ki and 1 < j < K2- Finally, the original input image can be reconstructed as follows: S = P^1 x (Sp x P21) (5.10) Thus, using the proposed method, the secret image can be perfectly reconstructed in the presence of at least k participants. Fig. 5.3 describes the pseudo-code description of the decryption procedure. 5.1.3 On Pixel Expansion As it was previously discussed, one of the important measures for the efficiency of any SSVD scheme is the expansion factor m. Schemes with small m are good candidates CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 90 Input: A qualified subset of the generated shares SHp where i € P™, permutation matrices and the generator matrix G Output: Original input image S Step 1. Compute SF from (5.6) Step 2. Compute the permuted image Sp from (5.7)-(5.9) Step 3. Recover the input image S from its permuted version Sp according to (5.10) Figure 5.3: Pseudocode description of the decryption phase of the proposed algebraic SSVD scheme. for secure transmission of color images over bandwidth limited communication networks. The properties of the MDS generator matrices are used in order to calculate the expansion factor of our proposed SSVD scheme. From (5.3), the number of bits required to represent Amo(j and A^w when 1 < k < n — 2, can be calculated as follows: (8 + log2*(n-2))r*^l Therefore, (8 + log fc(n-2))r^l m = 2 8/^2 (8 + log fc(n-2))(^p + l) < 2 1 (8 + log, k(n - 2)) 1 , Let mi = (8 + log2(fc))|"^p~|. When n — 1 < k < n, the corresponding expansion factor is: "-^"i+s^w (5'12) CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 91 For commonly used images (i.e. 512 x 512), terms with the dimensions (K\ x K2) in the denominator could be neglected. It can be concluded that the expansion factor of the proposed {k, n} scheme is approximately equal to - i + £log (fc(n-2)) l • its small expansion factor • its strong protection of the secret image • its ability to process image in realtime. For most of the practical values of {k, n} schemes, the expansion factor of our method is less than that of the method in [12]. The image shares in [12] have sizes defined as i- ~*~ block size °^ ^e secret image size where the "block size" is greater than 2k — 3. To compare the expansion factor of our solution (denoted by m) to the expansion factor of the solution in [12], namely \ + bloc^size, we define the so-called Expansion Factor Ratio (EFR) as follows: EFR = i • mi (5-14) k block size which is plotted versus k for some given numbers of participants n (see Fig. 5.4). As it can be understood from Fig. 5.4, for most of practical values of {k,n},2 < k < n < 10, our method has a smaller expansion factor compared to the method in [12]. In [57], the proposed method has the expansion factor of ^. Their method is a lossy scheme which in some cases can not perfectly reconstruct the secret image. Our proposed method can perfectly reveal the secret image by any subset of participants with k or more CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 92 Figure 5.4: Comparison of expansion factor of our algebraic method and the proposed scheme by Bai. n is the number of participants. elements which outperforms the method of [57] in the cost of increasing the size of each share a little. 5.2 A Second Generation SSVD Scheme For Color Images A novel, cost effective SSVD scheme is introduced in this section. The scheme partitions the input image into sub-components by utilizing a segmentation step. The contents of the segmented parts are subsequently used to form a secret sharing solution. This modular approach, which mimics the second generation coding principles, affords perfect reconstruction. Comparisons and experimental results included in this chapter indicate that it also compares very favorably against competing solutions when it comes to pixel expansion. A system level diagram of the proposed solution is shown in Fig. 5.5 The main contribution of this section is the proposal of a simple segmentation based CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 93 {SHp,SHp,...,SHp} Preprocessing Segmentation ^J Encryption M Decryption &> a ^> PuP* {k,n} Figure 5.5: System level diagram of the proposed segmentation based SSVD scheme {k,n} scheme. A segmentation step is utilized in the proposed SSVD scheme to control share expansion within a perfect reconstruction framework. Compared to the solution of [12], the framework applies sharing principle on blocks of data rather than pixels, thus it reduces complexity and allows users to share parts of the image such as background, foreground or objects. In this work the segmentation solution partitions the input image to arbitrary non overlapping segments. The number of segments depends on the values k and n of the SSVD scheme. The visual shares which are to be distributed to the participants are concatenated subsets of the non overlapping image parts. It will be shown that for large, yet practical, values of k and n, the achieved expansion factor is very small compared to [12]. This makes the proposed scheme a cost effective candidate for transmission of color images through bandwidth limited communication channels. The rest of this section is organized as follows. Sections 5.2.1 and 5.2.2 introduce the segmentation based SSVD approach. Motivation, characteristic and design parameters are discussed in detail. Section 5.2.4 compares the proposed SSVD scheme against the proposed schemes in [12] and Section 5.1 in terms of pixel expansion. 5.2.1 Segmentation of the input image As it can be seen from Fig. 5.5, after permuting the input image, segmentation is used to partition the permuted input to non-overlapping parts. Although the permuted input can be partitioned arbitrarily, for presentation purposes and without loss of generality, vertical partitions are considered in this work. To simplify the derivation, due to space limitation, it is further assumed that Ki is a multiple of I = C(n,k — 1). If it is not CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 94 the case, I ~ K2 + [^J x I columns are concatenated to Sc to make K2 a multiple of /. Each component of the concatenated columns is a random integer between zero T to 255. The permuted input image Sp = [Sp!, Sp2,Sp3] is partitioned to I parts, Sp = {Sp, Sp,..., Sp}, such that: 2 . S£(]Sp = 4>,h1^h2,h1,h2£{l,2,...,l} • U/i=i Sp = Sp • SP — [SPl, Sp2,Sp3] • SPc = [sPc(i,j)], l • [SPcoSPeo...oSPc] = Spc where 4>, o, f] and (J are the empty set, matrix concatenation operation, intersection and union operations respectively. The first two conditions ensure that the SP elements do not overlap and they cover the entire permuted image respectively. It should be noted that this segmentation procedure allows for sharing only parts of the input image and not the entire image. This is a novel feature since all previously published solutions operate on the whole input image. Within the proposed framework, it is possible to identify features or areas in the in put image and use these features or areas to improve performance. It is the thesis of our proposed scheme that by identifying and separating, via segmentation, visually signifi cant information rich area, cost effective SSVD solution could be applied. Furthermore, different sharing solutions could be applied to different input segments. Because of its similarity to the second generation coding solutions [85], the proposed scheme can be considered as a second generation SSVD scheme. To the best of our knowledge, this is the first attempt to introduce modeling concepts to SSVD. CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 95 Input: k, n and SP Output: n visual shares SHP (1 < i < n) Step 1. Compute / = C(n, k — 1) Step 2. Let Key; = {j\i $ P(l_1):/} where 1 < j < I th Step 3. Generate i share (1 < i < n) SH^> = SpK Figure 5.6: Pseudocode description of the encryption phase of the proposed segmentation based scheme. 5.2.2 Encryption Encryption begins by defining the so-called participant index set Pn = {1,2,... ,n} where n is the number of participants and an arbitrary subset P™ C P" with cardinality t with 1 < t < n similar to the utilized notation in Chapter 4. Obviously, there are n C(n,t) possible such sets. Let PJ{,...,P^n^ be C(n,t) distinct subsets of P with th th cardinality t. Also, let SHP be the i share given to i participant (1 < i < n). Since in the proposed SSVD scheme each SHP is a subset of SP, a placement key (KeyJ should th accompany SHP to represent which elements of SP constitutes i share. It is applied in share construction during encryption and verification of qualified subsets of participants during decryption. Also, for any specific set Q = {ii, ii,..., iw} C {1,2,... ,1} (w < I and *! < *2 < ... < iw), we define SPQ = [SPQi, SPQ2, SpJ where SPQc = [S^oS^o... S£J. The pseudo-code description of the generation of shares is provided in Fig. 5.6. CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 96 n Input: SHP and Key; where Vi € Pt Output: The original input image S Step 1. Compute X — \JiePn Keyi Step 2. If X ^ {1,2,..., I}, P? is an unqualified subset of participants who does not possess all the elements of SP and finish Step 3. If X = {1,2,..., /}, using Keyi and SHP compute Uiep™ SHp = SP = {SP,..., Sp} Step 4. Let SP = [SP o Sp o ..., oSP] = [SPl, SP2, SP3] 1 1 Step 5. Compute Sc = (Pr x SPc) x P2 (1 < c < 3) Step 6. S = [Si,S2,S3] Figure 5.7: Pseudocode description of the decryption phase of the proposed segmentation based scheme. 5.2.3 Decryption The decryption phase of the proposed scheme is considered in this section. Suppose that a subset of participants (F™ where 2 < t < n) poll their shares together to decrypt their shares and recover the input image. The pseudo-code description of the decryption func tion is depicted in Fig. 5.7. The decryption procedure consists of two parts: i)verification (steps 1-3) and ii)reconstruction (steps 4-6) for qualified subsets of participants. The coalition of the placement keys (X) is utilized to know that if Pp contains all the elements of SP. According to the definition of a {k, n} SSVD scheme, we should prove that UieP" Keyi = {1,2,..., /} for t > k and Uiep™ Keyi =£ {1, 2,..., 1} for t < k. Proposition 5.1 proves the preceding statement (The proof is given in Appendix A). CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 97 Proposition 5.1 Qualified subsets of participants have access to all the elements o/SP while non-qualified participants are prohibited from possessing all of these elements. In other words, Vt > k, X = \JiePn Key; = {1,2,...,/} while Vt < k, X = UieP" Key; ^ {1,2,...,/}. 5.2.4 On Pixel Expansion As it was mentioned earlier, one of the common way to evaluate {A;, n} SSVD schemes is to consider their expansion factor m. In bandwidth constraint channels, it is desirable to keep m as small as possible. According to steps 2 and 3 of the encryption procedure, each of the generated shares SHP (1 < i < n) is a concatenation of a subset of SP elements. Thus, the expansion factor of the proposed SSVD scheme is proportional to the number of the elements of SP which constitutes SHP. Based on the step 2 in the pseudo-code description of the encryption function, it is equal to the number of jf's (1 < j < I) satisfying i ^ P(k-i)j which is C(n, k — 1) — C(n — 1, k — 2). As a result, the expansion factor of our proposed scheme can be calculated as follows: C(n,k-l)-C(n-l,k-2) n-k + 1 , , m = —- : = (5.15rir) I n Since for any {k,n} SSVD scheme 2 < k < n, it can be concluded that ^ < m < Ti=^ < 1 which makes the proposed scheme an appropriate candidate for transmission of color images over bandwidth limited communication channels. Due to utilization of the segmentation approach in the proposed SSVD scheme, for large values of k and n, the expansion factor is negligible. In other words, lirrifc^^oom = 0. In most practical applications of the SSVD solutions, it is not reasonable to assume that the number of participants will be infinity. The analysis using a value k, n —> co is used to illustrate that the proposed scheme has indeed a significantly small expansion factor. The pixel expansion property of our proposed segmentation based scheme is compared against the expansion characteristics of the schemes in [12] and Section 5.1. Their small CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 98 Figure 5.8: Comparison of compression rates of the proposed segmentation based method against the proposed scheme by Bai. n is the number of participants. expansion factor, perfect reconstruction and the ability for realtime processing are the main advantages of these proposed schemes. We define the so-called Expansion Factor Ratios EFR; = ^, (1 < i < 2) where m1 = \ + bloc^size and block size is greater than 2k — 3 and I + k !og (k(n - 2)) 1 < k < n - 2 2 (5.16) m2 \ + lk\og2{k) n — 1 < k < n as a measure for comparing the expansion factor (m) of our scheme against the expan sion factor (roi) of [12] and (m2) of our algebraic scheme respectively. Figs. 5.8 and 5.9 compare the expansion factors as a function of k (the cardinality of each subset of participants) for different values of n (the total number of participants). It is important to mention that we consider practical values for k and n(2 According to Fig. 5.9, from the point of view of the expansion factor, our proposed CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 99 Figure 5.9: Comparison of the expansion factor of the proposed segmentation based method against the proposed algebraic scheme, n is the number of participants. SSVD scheme outperforms the method in Section 5.1 for an {n,n} scheme which is the most applicable case of sharing an input image between a set of participants while all of the assigned shares are required for reconstruction. From Figs. 5.8 and 5.9, it can be concluded that although for some {k,n} SSVD scenarios, the proposed scheme in [12] or Section 5.1 achieves smaller expansion factor compared to our proposed scheme, but it should be considered that our proposed scheme utilizes a simple segmentation framework which extremely reduces the computational complexity of the system. Also, it can share part of the input image without adding significant overhead to the system. 5.3 Experimental Results Simulation results are illustrated in this section to confirm the properties of the algebraic and segmentation based schemes and to compare them against the competing solution [12] in terms of pixel expansion and bandwidth requirements. It should be mentioned that all of the implemented SSVD schemes in this section achieve perfect reconstruction. A CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 100 Table 5.1: Summary of the schemes implemented for comparison in experimental results Reference Pixel expansion Algebraic scheme {fc, n} m « < i £ + m loS2 (k) n-l = n-fc+l Segmentation scheme {fc, n} n [12] {k,n} "l — k ' block size summary of the comparisons is presented in Table 5.1. In all cases, RGB, 8-bit per channel input test images are utilized. In most cases, the schemes are implemented in {2,2} or {2,3} configurations, representing the most basic operating scenarios. To get a better understanding in terms of comparison from the point of view of pixel expansion, we evaluate all of our experiments by applying different schemes on the same input image. Figs. 5.10-5.12 depict the result of applying the proposed algebraic, segmentation based schemes and the algorithm in [12] on the same input image (Fig. 5.10(a)) in a {2,2} application scenario, respectively. Visual inspection of the implemented schemes indicates that none of the independent participants can recover the secret input image based on his/her assigned share and no information regarding the input image is revealed by the generated shares. The main difference between the simulated schemes comes from their expansion factor which is jjr, | and | respectively. Comparing these different values indicates that the algebraic scheme can be considered as a cost effective candidate for transmission of color images through bandwidth limited communication channels in a {2,2} application scenario. Figs. 5.13-5.15 compare the preceding SSVD schemes in a {2,3} operating scenario. Similar to the previous simulation example, by visual inspection of the implementation examples it can be concluded that no information can be revealed from the noise like generated shares and all of the implemented schemes afford perfect reconstruction by CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 101 fsfPF- (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 5.10: The proposed algebraic SSVD scheme {2,2} (tested for a color image). , „ „ 2£33SS 1?' ~-"."Qfc»i (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 5.11: The proposed segmentation based SSVD scheme {2,2} (tested for a color image). *£$t ^ (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed image Figure 5.12: The proposed method by Bai {2, 2} block size= 4 (tested for a color image). CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 102 -«*j^.'.::_r.: 11 '.-•.-•.••:•'- ... Stll -'. •"•>-.• :v.. (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 5.13: The proposed algebraic scheme (tested for a color image) {2,3}. coalition of the qualified participants shares. However, they produce visual shares with different expansion factor which is ^, § and f of the input image in size respectively. As it was previously mentioned in Chapter 3, increasing the processing block size in the proposed scheme of [12] reduces the pixel expansion factor significantly at the cost of complex computation. Finally, Fig. 5.16 depicts the results obtained after applying the proposed segmenta tion based scheme on part of the image while the rest of the image will be unchanged. It can be visually seen that share 1 (Fig. 5.16(c)) and share 2 (Fig. 5.16(d)) are 2-2+1 of the mentioned part of the image (Fig. 5.16(b)) and approximately 0.0287 of the input image (Fig. 5.16(a)). It should be noted that compared to [12] and the algebraic scheme, which share the whole image, the segmentation based method can share important parts of the image by utilizing the simple segmentation framework without adding significant overhead to the system. Since the purpose is to share Fig. 5.16(b), we just apply the permutation on this part. From each of the noise like generated shares, no information can be revealed regarding the input image. The proposed segmentation based scheme CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 103 .K .'^L-.";^ ail S§g$§@S (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 5.14: The proposed segmentation based scheme (tested for a color image) {2, 3}. „..>: '.'.'•..>*^.-Pr,r;?--.:'. *-*..-visr-. -;rr~\v;\...v•/••;- ' v . •"•-•.• .•.*!• •' •**£ J:1^** i" (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e) Reconstructed image (f) Reconstructed image (g) Reconstructed image (h) Reconstructed image using shares 1 and 2 using shares 1 and 3 using shares 2 and 3 using shares 1, 2 and 3 Figure 5.15: The proposed scheme by Bai (tested for a color image) {2,3}. CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 104 (a) (b) (c) (d) (e) Figure 5.16: Sharing part of the image {2,2} in the proposed segmentation based ap proach: (a) Original image (b) Part of the image (c) Share 1 (d) Share 2 (e) Decoded image can perfectly recover Fig. 5.16(b) and as a result the whole image by polling the provided shares (Fig. 5.16(e)). 5.4 Chapter Summary Two {k,n} SSVD frameworks, namely algebraic and segmentation based schemes, which offer small expansion factor while achieving perfect reconstruction have been proposed in this chapter. The MDS codes principles used in the algebraic approach allow for the introduction of a flexible framework while the second scheme utilizes a segmentation module to regulate pixel expansion. The proposed methods have been compared to a number of well known previously methods in terms of bandwidth requirement and it has been shown that they outperforms these schemes in practical application scenarios. The key steps and characteristics of the proposed SSVD schemes can be summarized as follows: • Algebraic SSVD scheme - It can perfectly recover the input image with a small expansion factor - It utilizes MDS codes properties to share the secret image CHAPTER 5. SSVD SCHEMES WITH REDUCED EXPANSION 105 - It operates on each k consecutive pixels of the input image independently — It is capable of image transmission through bandwidth limited communication channels - Its main system level steps can be summarized as follows * Rearrange the input image pixels to make the input image compatible with the utilized MDS code * Apply an MDS code generator matrix for share generation * Recover the input image based on the properties of the MDS code • Segmentation Based Scheme — It partitions the input image for sharing — It is capable of sharing the important parts of the image — It can be considered as a simple and cost effective choice for transmission of images - It can perfectly recover the input image with a small pixel expansion - Its main system level steps for a {k, n} SSVD scheme can be summarized as follows: * Partition the input image to a number of non-overlapping parts according to k and n * Distribute the image parts to the participants in a secure manner * Reconstruct the input image based on the coalition of qualified partici pants Chapter 6 Conclusions The problems of digital data security and integrity preservation are the key challenges in data transmission through communication channels. Due to the rapid advance of wired and wireless communication systems, large volumes of visual data are transmitted through communication channels whose security requirements are beyond the most of the proposed conventional cryptographic schemes. Most of the common approaches in this area suffer from a number of limitations. In light of this, four SSVD frameworks with different functionalities have been proposed in this thesis which are capable of color image transmission over bandwidth limited, un-secure communication channels. 6.1 Research Summary The confidentiality of the transmitted visual data over digital communication networks is usually obtained by encryption. However, the critical vulnerability of the encryp tion algorithms arises from its single-point-failure issue which means that the encrypted information cannot be recovered if the encryption and/or decryption keys are lost or the encrypted content is changed or corrupted during the transmission. Unfortunately, confidentiality, integrity and authenticity can not be achieved by directly applying cryp tographic schemes to visual data. In this work, we utilize secret sharing principles for 106 CHAPTER 6. CONCLUSIONS 107 Table 6.1: Summary of the proposed schemes in this thesis Reference Pixel expansion Karnaugh map scheme {2,2} [86] 1 Number theory scheme {k, n} [87] 1 f I + m lo& (*(n - 2)) l Segmentation scheme {k, n} [89] n transmission of color images over communication channels. The main disadvantage of most of the previously proposed VC schemes comes from the impairment between the input and the reconstructed images due to the incorpora tion of human vision system during decryption. Thus, preserving the input image content with algebraic decryption operations is the prime objective of this work to make the re covered image ready for further digital image processing. At the same time, bandwidth requirements and size of the generated visual shares should be considered. Different char acteristics and properties of the proposed SSVD schemes in this thesis are summarized in Table 6.1. It should be mentioned that all of the proposed schemes are compared from the point of view of pixel expansion while satisfying perfect reconstruction. The main focus of the contributed works in the thesis is the proposal of two types of SSVD solutions as follows: • SSVD schemes with no expansion: In this context, two different SSVD frameworks have been proposed as follows: - Karnaugh Map Based {2,2} SSVD Schemes (Chapter 4.1) - Number Theory Based {k, n} SSVD Scheme (Chapter 4.2) • SSVD schemes with reduced expansion: Two SSVD frameworks with different re- CHAPTER 6. CONCLUSIONS 108 quirements have been proposed as follows: - Algebraic SSVD Scheme For Color Images (Chapter 5.1) - A Second Generation SSVD Scheme For Color Images (Chapter 5.2) The first set of the proposed schemes can be utilized in digital imaging systems which offer fixed resources for image storage and transmission while the second set of the proposed schemes are capable of transmission of color images over bandwidth limited communication channels. The proposed SSVD schemes are intended for the transmission of color images over bandwidth constraint communication channels. However, they are readily applicable to the transmission of gray scale images or computer generated visual data. The effectiveness of the proposed schemes have been verified through a number of experimental results. 6.2 Future Work The contributed methodologies have addressed the following two issues of importance in SSVD schemes: • minimizing pixel expansion • achieving perfect reconstruction However, there are a number of open problems in SSVD which are worthy to be explored as follows: • Applying SSVD on video streams: All of the proposed schemes in this work are intended for color images. It is obvious that the proposed schemes can not be applied directly on a video stream for transmission over a communication channel. Also, applying the proposed schemes on each frame can not be considered as a CHAPTER 6. CONCLUSIONS 109 cost effective solution. In this case the generated shares are time variant. The compromise between the size of the shares and the complexity of the solution is of paramount importance. • Information theoretic aspect of information leakage: One of the main shortcom ings of the proposed SSVD schemes arises from the fact that the generated shares may reveal information regarding the input image. In all of the proposed schemes, permutation as a preprocessing step has been employed to reduce the correlation between adjacent pixels and it has been shared to prohibit independent partic ipants access. Proposing secure schemes from an information theoretic point of view while satisfying small expansion and perfect reconstruction is currently under investigation • Loss of shares: The decryption procedure will be degraded if a number of shares from a qualified subset of participants are corrupted or attacked. Recovering the qualified subsets of shares from the rest of the shares, while unqualified subsets of participants can not gain information about the input can be considered as a future research work Appendix A Proofs Proof A.1 (Proposition 4.1) According to the properties of A, it can be concluded = that A.ixC(i,i) Ij- -ft should be noted that A,xj is not used for a legitimate secret sharing scheme. It is simply a construct in the algorithm which should be described. It is the matrix look-up table for the numbers which is utilized for a {i + l,i} scheme which does not really exist. In other words, we should generate i numbers such that any subset of them with i or less members have at least a common factor. Thus, all of them should contain a common factor. Having proved the initial conditions, an induction proof is considered in this part. We should prove that for a {fc, n} secret sharing, the generated matrix A-nxC(n,k—i) satisfies the following two properties. 1. Vk 2. Vt According to the recursive nature of the algorithm, it follows that for a {k,n — 1} scheme, w we have An_ixc(n-i,fc-i) ^h the properties 1. V Jfe < t < n - 1 and VI < j < C(n - 1, k - 1), 3» G P?'1 such that af;"_1) = 0 (property la) 110 APPENDIX A. PROOFS 111 1} 2. Vt Similarly, for a {k — 1, n — 1} scheme, we have An^ixc(n-i,k-2) _1 1,n_1) 1. V fc-1 < i < n-1 and VI < j < C(n-1, fc-2), 3* € Pt" SUC/J iftot oj^ = 0 (property lb) 2.yt a Considering An_ixc(n-i,fc-i)> */ 'zero' row ?'s added, giving us the extended matrix An-lxC(ii-l,H) ^•n-lxC(n-l,fc-l) (A.l) 01xC(n-l,fc-l) /£ con 6e seen that property 1 /or {k,n} is satisfied in A^_lxC/n_1>fe_1w Considering An_ixc(n_i,k-2)j «/ a 'one' row is added, giving us the extended matrix A _ixC(n-l,fc-2) A n An-lxC(n-l,fc-2) (A.2) 'lxC(n-l,fc-2) If can again be seen that property 1 for {k,n} is satisfied in An_lxC/ri_1 k_2\- It follows from the above that for L (A.3) nxC(n,fc-l) An_ixC(n-l,fc-l) -A-n-lxC(n-l,fc-2) property 1 /or {fc, n} is stili satisfied. In order to prove that A.nxc(n,k-i) from (A.3) satisfies property 2 for {k, n}, we examine two possible cases of unqualified arbitrary participants subsets P™, t < k : 1. If n £ P" (the last row is not included in the arbitrary subset), then property 2 is satisfied from A.n-\xc(n-i k_1s as a result of property 2a for {k, n — 1}. 2. If n £ P" (the last row is included in the arbitrary subset), then property 2 is satisfied from A^_lxC./n_ljfc_2) as a result of property 2b for {k — l,n — 1}. This APPENDIX A. PROOFS 112 can be seen from the fact that adding a row of 'ones' does not break the condition set by property 2. Proof A.2 (Proposition 4.2) Let col(Anxc(n,k~i)) denote the number of columns of A„xc(™,fc-i). According to (4.19) A 4 COl(AnxC(„,k-l)) = C0Z(A„_lxC7(n-l,fc-l)) + C0Z(An_ixC(n-l,k-2)) ( - ) and col(Aixc(i,i)) = i and col{Aixc(i,i)) — 1 where 1 < k < n and 1 < i < n. Based on th th the definition of Pascal's triangle [90], col{AnxC{n,k-\)) is the k element in the n row of Pascal's triangle. Thus, the number of Anxc(n,k-~i) is equal to col(AnxC(n,k-i)) = C(n, k-l) (A.5) Proof A.3 (Proposition 4.3) According to (4-19), the last row of Anxc(n,k~i) has a C{n — 1, k — 2) 'ones'. It can be seen that the second last row of Anxc(n,k-i) ^° has C(n - 1, k - 2) 'ones' because A„-lxC(n-i,k-~i) and A„_lxC(„-i,fc-2) have C(n - 2, k - 2) and C(n — 2, k — 3) 'ones' in their last row, respectively, and based on the Pascal equality C(n - 2, k - 2) + C(n - 2, k - 3) = C(n - 1, k - 2) According to the recursive nature of A, it can be concluded that each row has exactly C(n — 1, k — 2) ones. Proof A.4 (Proposition 5.1) Suppose that for the members of P™ (t > k), UiePn Keyi ^ {1,2,..., /}. It means that 31 < j < I such that Vz G P™, SP ^ SHP. According to steps 2 and 3 of the encryption procedure, it leads to the fact that 31 < j < I such that Vi G Pt™, i G P {1,2,..., 1} which means that 31 < j < I such that Vi G P", SP ^ SHP. It confirms that rue 31 < j < I such that Vz G P", i € PJk-\)j- It is t because the cardinality of P^k_^ is k-l>t. Appendix B An Example of Number Generation Algorithm Suppose that the recursive algorithm of Proposition 4.1 should be used to generate num bers needed in a {3,4} secret sharing scheme. We know that A3xc(3:i) — I3. Hence, 1 0 0 10 0 ^2xC(2,2) L2xC(2,l) A.3xC(3,2) 0 1 0 0 1 0 MxC(4,2) — 0 0 0 1 0 0 1 0 0 0 1 1 1 0 0 0 1 1 1 Based on our definition, A2xc(2,2) = and A2xc(2,i) = 12- Then A3xC(3,2) = 113 APPENDIX B. AN EXAMPLE OF NUMBER GENERATION ALGORITHM 114 1 1 0 1 0 1 and finally, 0 1 1 110 10 0 10 10 10 MxC(4,2) 0 110 0 1 0 0 0 111 Since A4xC(4i2) has six (C(4,2)) columns, then six candidate prime factors are needed in the construction of x,. For example, let pi = 2,p2 = 3,£>3 = 5,p4 = 7,p$ — 11, and Pe = 13 be the given candidate prime factors. Based on the rows of A4xc(2,4) and (4.18), the required numbers are generated as follows : 1 1 1 Xl = (2) x (3) x (5)° x (7) x (11)° x (13)° = 42 1 1 1 X2 = (2) x (3)° x (5) x (7)° x (ll) x (13)° = 110 1 1 1 s3 = (2)° x (3) x (5) x (7)° x (11)° x (13) = 195 1 1 1 X4 = (2)° x (3)° x (5)° x (7) x (ll) x (13) = 1001 If we randomly choose any subset of these numbers with 2 elements, they have at least one common factor. For example X2 and £3 have 5 as a common factor, and as a result, gcd(x2, £3) 7^ 1. Based on the properties of matrix A4xc(4,2), if a subset of these numbers with 3 or 4 elements is randomly selected, their elements are relatively prime to each other. Bibliography [1] D. Eager, M. Vernon, and J. Zahorjan. Minimizing Bandwidth Requirements for On- Demand Data Delivery. IEEE Transactions on Knowledge and Data Engineering, pages 742-757, 2001. [2] D.A. Keim. Visual exploration of large data sets. Communications of the ACM, 44(8):38-44, 2001. [3] X. Wang, M. Zhan, C.H. Lai, and H. Gang. Error function attack of chaos syn chronization based encryption schemes. Chaos: An Interdisciplinary Journal of Nonlinear Science, 14:128, 2003. [4] RJ Lopes, AT Lindsay, and D. Hutchison. The utility of MPEG-7 systems in audio visual applications with multiple streams. IEEE Transactions on Circuits and Sys tems for Video Technology, 13(l):16-25, 2003. [5] X. Du, Y. Wang, J. Ge, and Y. Wang. An ID-based broadcast encryption scheme for key distribution. IEEE Transactions on Broadcasting, 51(2):264-266, 2005. [6] AJ Elbirt, W. Yip, B. Chetwynd, and C. Paar. An FPGA-based performance eval uation of the AES block ciphercandidate algorithm finalists. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 9(4):545-557, 2001. [7] W. Trappe and L.C. Washington. Introduction to Cryptography with Coding Theory. Prentice-Hall, Inc. Upper Saddle River, NJ, USA, 2005. 115 BIBLIOGRAPHY 116 [8] RL Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120-126, 1978. [9] R. Bose. Information Theory, Coding and Cryptography. Tata McGraw-Hill, 2002. [10] D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198-208, 1983. [11] X. Sun, G. Luo, and H. Huang. Component-based digital watermarking of Chinese texts. Proceedings of the 3rd international conference on Information security, pages 76-81, 2004. [12] L. Bai. A Reliable (k, n) Image Secret Sharing Scheme. Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'06)-Volume 00, pages 31-36, 2006. [13] H. Vandierendonck and K. De Bosschere. XOR-Based Hash Functions. IEEE Trans actions on Computers, pages 800-812, 2005. [14] L. Knudsen and B. Preneel. Construction of secure and fast hash functions us ing nonbinary error-correcting codes. IEEE Transactions on Information Theory, 48 (9): 2524-2539, 2002. [15] B. Yang, R. Karri, and DA McGrew. Divide-and-Concatenate: An Architecture- Level Optimization Technique for Universal Hash Functions. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 24(11):1740-1747, 2005. [16] M.S. Hwang, C.C. Chang, and K.F. Hwang. A watermarking technique based on one-way hash functions. IEEE Transactions on Consumer Electronics, 45(2):286- 294, 1999. [17] M. Naor and B. Pinkas. Visual authentication and identification. Lecture Notes in Computer Science, 1294:322, 1997. BIBLIOGRAPHY 117 [18] G. Qiu. Color image indexing using BTC. IEEE Transactions on Image Processing, 12(1):93-101, 2003. [19] C. Cachin. An information-theoretic model for steganography. Information and Computation, 192(1) :41-56, 2004. [20] W. Trappe, M. Wu, ZJ Wang, and KJR Liu. Anti-collusion fingerprinting for mul timedia. IEEE Transactions on Signal Processing, 51(4):1069-1087, 2003. [21] M. Wu and B. Liu. Data hiding in binary image for authentication and annotation. IEEE Transactions on Multimedia, 6(4):528-538, 2004. [22] M. Barni, F. Bartolini, V. Cappellini, and A. Piva. Copyright protection of digital images by embedded unperceivable marks. Image and Vision Computing, 16(12- 13):897-906, 1998. [23] Y.C. Tseng, Y.Y. Chen, and H.K. Pan. A secure data hiding scheme for binary images. IEEE Transactions on Communications, 50(8):1227-1231, 2002. [24] D.C. Wu and W.H. Tsai. Data hiding in images via multiple-based number conversion andlossy compression. IEEE Transactions on Consumer Electronics, 44(4): 1406-1412, 1998. [25] A. Shamir. How to Share a Secret. Communications, 1979. [26] GR Blakley. Safeguarding Cryptographic Keys, AFIPS Con. Proc, 48:313-317, 1979. [27] C.C. Chang and J.C. Chuang. An image intellectual property protection scheme for gray-level images using visual secret sharing strategy. Pattern Recognition Letters, 23(8):931-941, 2002. [28] M. Naor and A. Shamir. Visual cryptography. Lecture Notes in Computer Science, 950(1):1-12, 1995. BIBLIOGRAPHY 118 [29] Y.C. Hou and S.F. Tu. Visual Cryptography Techniques for Color Images Without Pixel Expansion. Journal of Information, Technology and Society, 4(1):95-110, 2004. [30] R. Lukac and K.N. Plataniotis. Bit-level based secret sharing for image encryption. Pattern Recognition, 38(5):767-772, 2005. [31] C. Connolly and T. Fleiss. A study of efficiency and accuracy in the transforma tion from RGBto CIELAB color space. IEEE Transactions on Image Processing, 6(7):1046-1048, 1997. [32] B.V. Funt and M.S. Drew. Color space analysis of mutual illumination. IEEE Transactions on Pattern Analysis and Machine Intelligence, 15(12):1319-1326, 1993. [33] R. Lukac, B. Smolka, K. Martin, KN Plataniotis, and AN Venetsanopoulos. Vector filtering for color imaging. IEEE Signal Processing Magazine, 22(l):74-86, 2005. [34] HS Malvar, A. Hallapuro, M. Karczewicz, and L. Kerofsky. Low-complexity trans form and quantization in H. 264/AVC. IEEE Transactions on Circuits and Systems for Video Technology, 13(7):598-603, 2003. [35] G. Strang. Linear algebra and its applications. New York: Academic, 1976. [36] L. Fratta and U. Montanari. A Boolean algebra method for computing the terminal reliability in a communication network. IEEE Transactions on Circuits and Systems, 20(3):203-211, 1973. [37] BCH Turton. Extending Quine-McCluskey for Exclusive-Or logic synthesis. IEEE Transactions on Education, 39(l):81-85, 1996. [38] T.M. Apostol. Introduction to Analytic Number Theory. Springer, 1976. [39] F. Lemmermeyer. The Euclidean algorithm in algebraic number fields. Expo. Math, 13:385-416, 1995. BIBLIOGRAPHY 119 [40] F.J. MacWilliams and N.J.A. Sloane. The theory of error-correcting codes. North- Holland Amsterdam, 1988. [41] L. Xu and J. Bruck. X-code: MDS array codes with optimal encoding. IEEE Transactions on Information Theory, 45(l):272-276, 1999. [42] M. Iwamoto and H. Yamamoto. The Optimal n-out-of-n Visual Secret Sharing Scheme for Gray-Scale Images. IEICE Trans. Fundamentals, pages 2238-2247, 2002. [43] G. Ateniese, C. Blundo, A. De Santis, and D.R. Stinson. Visual Cryptography for General Access Structures. Information and Computation, 129(2) :86-106, 1996. [44] YC Hou, CF Lin, and CY Chang. Visual cryptography for color images without pixel expansion. Journal of Technology, 16(4):595-603, 2001. [45] Y.C. Hou and S.F. Tu. A Visual Cryptographic Technique for Chromatic Images Us ing Multi-pixel Encoding Method. Journal of Research and Practice in Information Technology, 37(2): 179-192, 2005. [46] R. Ito, H. Kuwakado, and H. Tanaka. Image Size Invariant Visual Cryptography. IE- ICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 82(10):2172-2177, 1999. [47] R.Z. Wang and S.J. Shyu. Scalable secret image sharing. Signal Processing: Image Communication, 22(4):363-373, 2007. [48] P.A. Eisen and D.R. Stinson. Threshold Visual Cryptography Schemes with Spec ified Whiteness Levels of Reconstructed Pixels. Designs, Codes and Cryptography, 25(1):15-61, 2002. [49] E. Myodo, S. Sakazawa, and Y. Takishima. Visual Cryptography Based on Void-And-Cluster Halftoning Technique. IEEE International Conference on Image Processing, 2006, pages 97-100, 2006. BIBLIOGRAPHY 120 [50] A New Construction Algorithm of Visual Cryptography for Gray Level Images. [51] C.C. Lin and W.H. Tsai. Visual cryptography for gray-level images by dithering techniques. Pattern Recognition Letters, 24(l-3):349-358, 2003. [52] D. Wang, L. Zhang, N. Ma, and X. Li. Two secret sharing schemes based on Boolean operations. Pattern Recognition, 40 (10): 2776-2785, 2007. [53] Z. Zhou, Gr. Arce, and G. Di Crescenz. Halftone Visual Cryptography. IEEE Transactions on Image Processing, 15(8):2441-2453, 2006. [54] E.R. Verheul and H.C.A. van Tilborg. Constructions and Properties of k out of n Visual Secret Sharing Schemes. Designs, Codes and Cryptography, 11(2):179-196, 1997. [55] L. Fang and B. Yu. Research on Pixel Expansion of (2, n) Visual Threshold Scheme. 1st International Symposium on Pervasive Computing and Applications, pages 856- 860, 2006. [56] C.N. Yang and T.S. Chen. Reduce shadow size in aspect ratio invariant visual secret sharing schemes using a square block-wise operation. Pattern Recognition, 39(7):130O-1314, 2006. [57] C.C. Thien and J.C. Lin. Secret image sharing. Computers & Graphics, 26(5):765- 770, 2002. [58] S. Cimato, R. De Prisco, and A. De Santis. Colored visual cryptography without color darkening. Theoretical Computer Science, 374(1-3): 261-276, 2007. [59] W.G. Tzeng and CM. Hu. A New Approach for Visual Cryptography. Designs, Codes and Cryptography, 27(3):207-227, 2002. [60] C. Blundo, S. Cimato, and A. De Santis. Visual cryptography schemes with optimal pixel expansion. Theoretical Computer Science, 369(1-3):169-182, 2006. BIBLIOGRAPHY 121 [61] S.J. Shyu. Efficient visual secret sharing scheme for color images. Pattern Recogni tion, 39(5):866-880, 2006. [62] C.N. Yang and C.S. Laih. New Colored Visual Secret Sharing Schemes. Designs, Codes and Cryptography, 20(3):325-336, 2000. [63] C. Blundo, A.D. Bonis, and A.D. Santis. Improved Schemes for Visual Cryptogra phy. Designs, Codes and Cryptography, 24(3):255-278, 2001. [64] Y.F. Chen, Y.K. Chan, C.C. Huang, M.H. Tsai, and Y.P. Chu. A multiple-level visual secret-sharing scheme without image size expansion. Information Sciences, 177(21): 4696-4710, 2007. [65] F. Yi, D. Wang, P. Luo, L. Huang, and Y. Dai. Multi secret image color visual cryptography schemes for general access structures. Progress in Natural Science, 16(4):431-436, 2006. [66] H. Koga, M. Iwamoto, and H. Yamamoto. An Analytic Construction of the Visual Secret Scheme for Color Images. IEICE Transactions on Fundamentals of Electron ics, Communications and Computer Sciences, 84. [67] C.N. Yang and T.S. Chen. Size-Adjustable Visual Secret Sharing Schemes. IE- ICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, (9):2471-2474, 2005. [68] S. Sudharsanan. Shared key encryption of JPEG color images. IEEE Transactions on Consumer Electronics, 51(4):1204-1211, 2005. [69] D. Jin, W.Q. Yan, and M.S. Kankanhalli. Progressive color visual cryptography. Journal of Electronic Imaging, 14:033019, 2005. [70] D.Q. Viet and K. Kurosawa. Almost Ideal Contrast Visual Cryptography with Reversing. Proc. of Topics in Cryptology-CT-RSA, pages 23-27, 2004. BIBLIOGRAPHY 122 [71] V. Rijmen and B. Preneel. Efficient colour visual encryption or shared colors of Benetton, rump session of Eurocrypt, 96. [72] Y.C. Hou. Visual cryptography for color images. Pattern Recognition, 36(7):1619- 1629, 2003. [73] L. Bai. A Strong Ramp Secret Sharing Scheme Using Matrix Projection. Proceed ings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, pages 652-656, 2006. [74] C. Blundo. On the Contrast in Visual Cryptography Schemes. Journal of Cryptology, 12(4):261-289, 1999. [75] T. Hofmeister, M. Krause, and H.U. Simon. Contrast-optimal k out of n secret sharing schemes in visual cryptography. Theoretical Computer Science, 240(2):471- 485, 2000. [76] R. Lukac and K.N. Plataniotis. Input-Agnostic vs. Input-Specific Image Secret Sharing. 48th International Symposium ELMAR-2006 focused on Multimedia Signal Processing and Communications, pages 5-8, 2006. [77] Z.N. Li and M.S. Drew. Fundamentals of Multimedia. Prentice Hall, 2004. [78] V.C. Hamacher, Z.G. Vranesic, and S.G. Zaky. Computer organization. 1984. [79] C. Asmuth and J. Bloom. A modular approach to key safeguarding. IEEE Trans actions on Information Theory, 29(2):208-210, 1983. [80] O. Goldreich, D. Ron, and M. Sudan. Chinese remaindering with errors. Proceedings of the thirty-first annual ACM symposium, on Theory of computing, pages 225-234, 1999. [81] AE Ingham. The Distribution of Prime Numbers. Cambridge University Press, 1990. BIBLIOGRAPHY 123 [82] CM. Hu and W.G. Tzeng. Cheating Prevention in Visual Cryptography. IEEE Transactions on Image Processing, 16(l):36-45, 2007. [83] H. Krawczyk. Secret sharing made short. Advances in Cryptology-CRYPTO, 93:136- 146. [84] M. Bose and R. Mukerjee. Optimal (2, n) visual cryptographic schemes. Designs, Codes and Cryptography, 40(3):255-267, 2006. [85] M. Kunt, A. Ikonomopoulos, and M. Kocher. Second-generation image-coding tech niques. Proceedings of the IEEE, 73(4):549-574, 1985. [86] M. Heidarinejad and K. N. Plataniotis. Karnaugh Map Based {2,2} Visual Cryp tography Schemes. Submitted to International Journal of Pattern Recognition and Artificial Intelligence (IJPRAI), 2008. [87] M. Heidarinejad, K. Martin, and K. N. Plataniotis. Number Theory Based {k, n} Vi sual Cryptography Scheme. Submitted to IEEE Transactions on Information Foren- sics and Security, 2008. [88] M. Heidarinejad, A. Alamdar, and K. N. Plataniotis. Algebraic Visual Cryptography Scheme For Color Images. IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 1761-1764, 2008. [89] M. Heidarinejad and K. N. Plataniotis. A Second Generation Visual Secret Sharing Scheme For Color Images. Accepted in IEEE International Conference on Image Processing, ICIP, 2008. [90] A.W.F. Edwards. Pascal's Arithmetical Triangle: The Story of a Mathematical Idea. Johns Hopkins University Press, 2002.