6 XOR-Based Visual Cryptography

A (k, n) visual cryptography (VC) scheme [16] is a type of secret sharing scheme with the special property that a secret image can be recovered visually by the human eye and does not require any calculation on a computer. However, the recovered secret image has low quality. In this case, some researchers attempt to consider other different approaches to improve the quality (contrast) of the recovered image.

Lee et al. [12] presented a VC scheme using an XOR process to share a binary image. Since phase masks were placed on any path of the Mach-Zehnder interferometer for reconstruction, the method is impractical and expensive [17]. Biham and Itzkovitz [2] investigated a VC system based on passive light polarization. This is more flexible than the Naor and Shamir schemes but cannot be modeled by an XOR [17]. Tuyls et al. [17, 18] gave a VC system that uses the polarization of light. The operation of the VC system is mathematically described by an XOR operation. In Section 6.3, we will show that a (n, n)-VC scheme with optimal resolution and contrast exist, and that (2, n)-VC schemes are equivalent to binary codes. Three explicit constructions for general k out of n schemes are also introduced [17, 13].

Viet and Kurosawa [21] noticed the phenomenon that most copy machines nowadays can change a black image into a white one and vice versa, then first gave a VC scheme with reversing for binary image. In the VC scheme with reversing, a dealer needs run the distribution phase of a VC scheme c times (with c arbitrary constant), hence requiring each participant to held c shadows. The almost ideal contrast of a recovered secret image is almost obtained for a large number of runs c. Cimato et al. [7] presented two elegant construction methods to improve the contrast and pixel expansion of the scheme in Reference [21]. In order to reduce run times of two schemes [21, 7], Yang et al. [25, 26] overcame the weakness of reversing only a based perfect VC scheme and first introduced a nonperfect black VC scheme, this approach uses a Boolean XOR operation for decoding. Reducing the stacking and reversing operations and minimizing number held by each participant, Hu and Tzeng [10] proposed an ideal contrast VC scheme with less reversing and stacking operations in only two runs. The scheme needs to perform XOR operations to decode the secret image. In section 6.4, we will introduce Yang et al.’s scheme and Hu and Tzeng’s [25, 26] scheme with ideal contrast.

The construction of the above schemes is all based on basis matrices, so they may suffer pixel expansion and loss of contrast. Probabilistic VC schemes are proposed in [11, 24, 6] with no pixel expansion. However, the recovered secret image has low contrast. Wang et al. [23] proposed two secret sharing schemes based on a Boolean operation and the recovering operation is XOR. One scheme is (2, n) for the binary image, and the other is (n, n) for the grayscale image. Both have no pixel expansion. Chao and Lin [5] improved Wang et al.’s [23] scheme in order to obtain a (k, n) scheme, which is fast and with a reasonable pixel expansion rate. In section 6.5, we introduce the (2, n), (n, n), and (k, n) schemes.

6.2 Preliminaries

In a black and white (k, n)-visual cryptography (VC) scheme [16], the secret image consists of a collection of black and white pixels and each pixel is subdivided into a collection of m black and white subpixels in each of the n shares. These subpixels are printed in close proximity to each other so that the human visual system averages their individual black and white contributions. The collection of subpixels can be represented by an n × m Boolean matrix S = [s_ij], where the element s_ij represents the j-th subpixel in the i-th share. A white subpixel is represented as a 0, and a black subpixel is represented as a 1. The white subpixels are let through the light while black subpixels stop it. s_ij = 1 if and only if the j-th subpixel in the i-th share is black. The gray level of the combined share obtained by stacking shares i₁, ⋯,i_γ is proportional to the Hamming weight (the number of 1’s in the vector V) H(V) of the OR-ed (”OR” operation) m-vector V = OR(i₁, ⋯, i_γ). Based on the definition of Naor and Shamir [16], Verheul and van Tilborg [20] gave a more general definition. Following the notation from [16, 20], a definition of k out of n XOR-based visual cryptography scheme is given by Tuyls in Reference [17]. A (k, n) VC scheme S = (C₀, C₁) consists of two collections of n × m binary matrices C₀ and C₁. To share a white (black) pixel, the dealer randomly chooses one of the matrices in C₀(C₁) and distributes its rows as shares among the n participants of the system. The following is the definition.

Definition 1 [20] Let k, n, n, m, l be positive integers satisfying 1 ≤ k ≤ n and m ≥ h ≥ l. Let Z(v) be the number of 0’s in the vector v. A [(k, n); m, h, l] visual cryptography (VC) scheme consists of two collections of n × m Boolean matrices C₀ and C₁ such that:

For any s ∈ C₀, the XOR v of any k of the n rows of s satisfies Z(v) ≥ h.
For any s ∈ C₁, the XOR v of any k of the n rows of s satisfies Z(v) ≤ l.
For any i₁ < i₂ < ⋯ < i_t in {1, 2, ⋯, n} with t < k the two collections of t × m matrices D_j for j ∈ {0, 1}, obtained by restricting each n × m matrix in C_j, to rows i₁, i₂, ⋯, i_t are indistinguishable in the sense that they contain the same matrices with the same frequencies.

The number h and l are called the white level and black level, respectively, of the scheme. The parameter m is called the block length or pixel expansion and determines the resolution of the scheme. The contrast α is defined as α=(h−l)h+l $α = \frac{(h - l)}{h + l}$ . Note that α ∈ [0, 1] and α is maximal when l = 0. A scheme with l = 0 are called maximal contrast schemes. When α = 1, the contrast is defined as an ideal contrast.

The following symmetry property follows very easily and is therefore stated without proof.

Proposition 1 [17] Let S = (C₀, C₁) be a [(k, n); m, h, l] VC scheme. Let Ĉ_i be obtained from C_i by replacing zeroes by ones and vice versa. If k is even, then the scheme (Ĉ₀, Ĉ₁) is a [(k, n); m, h, l] scheme as well. If k is odd, then (C₀, C₁) is a [(k, n); m, m − l, m − h] scheme with contrast α given by αˆ=(h−l)/(2m−l−h) $\hat{α} = (h - l) / (2 m - l - h)$ . It follows that αˆ>α $\hat{α} > α$ whenever l + h > m.

6.3 Visual Cryptography Scheme Using the Polarization of Light

In this section, we will introduce XOR-based visual cryptography scheme. They are constructed using basis matrices and the secret image is recovered by an XOR certain number of shares. We will show how to construct (2, n), (n, n), and (k, n) XOR-based visual cryptography schemes as follows.

6.3.1 (2, n) Scheme

In this section, we show how to construct a (2, n) XOR-based visual cryptography scheme. The (2, n) scheme is equivalent to binary error-correcting codes. By a (m, n, d) code, that is, a binary code of length m consists of n words and a minimum Hamming distance of at least d.

Theorem 1 [17] Let m, l and h be positive integers such that l < h ≤ m. The three following statements are equivalent.

A [(2, n); m, m, l] VC scheme exists.
A [(2, n); m, h, l] VC scheme exists.
A binary (m, n, m − l) code exists.

Proof: It is clear that (i) implies (ii).

In order to show that (ii) implies (iii), let S = (C₀, C₁) be a [(2, n); m, h, l] VC scheme. Take a matrix A₁ ∈ C₁ and let C consist of the rows from A₁. As S is a [(2, n); m, h, l] VC scheme, the Hamming distance between two words from C is at least m − l. Consequently, C is a (m, n, m − l) code. Finally, to show (iii) implies (i), let C be a binary (m, n, m − l) code. For c ∈ C, let A(c) denote the n × m matrix for which each row equals c. Moreover, let B be an n × m matrix containing each word from C as a row, and for 0 ≤ i ≤ n − 1, let B(i) be the matrix obtained by a cyclic shift of the rows of B over i positions. We claim that (C₀, C₁) = ({A(c)|c ∈ C}, {B(0), B(1), ⋯, B(n − 1)}) is a [(2, n); m, m, l] scheme. It is clear that both collections contain n matrices, and that in each row, each word from C occurs in one matrix from C₀ and in one matrix from C₁, showing the indistinguishability. The sum of any two rows from a matrix in C₀ equals 0. Finally, the Hamming distance between any two rows of a matrix from C₁ is at least m − l, showing that the XOR of these two rows contains at most m − (m − l) = l zeros.

An example is given as follows.

Example 1 Let C be a binary (3, 3, 2) code containing words 100, 010 and 001 . Construct C₀ and C₁ as follows:

C 0 = ⎧ ⎩ ⎨ ⎪ ⎪ ⎡ ⎣ ⎢ 111000000 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 000111000 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 000000111 ⎤ ⎦ ⎥ ⎫ ⎭ ⎬ ⎪ ⎪,

$C_{0} = {[\begin{array}{l} 1 & 0 & 0 \\ 1 & 0 & 0 \\ 1 & 0 & 0 \end{array}], [\begin{array}{l} 0 & 1 & 0 \\ 0 & 1 & 0 \\ 0 & 1 & 0 \end{array}], [\begin{array}{l} 0 & 0 & 1 \\ 0 & 0 & 1 \\ 0 & 0 & 1 \end{array}]},$

C 1 = ⎧ ⎩ ⎨ ⎪ ⎪ ⎡ ⎣ ⎢ 100010001 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 001100010 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 010001100 ⎤ ⎦ ⎥ ⎫ ⎭ ⎬ ⎪ ⎪ .

$C_{1} = {[\begin{array}{l} 1 & 0 & 0 \\ 0 & 1 & 0 \\ 0 & 0 & 1 \end{array}], [\begin{array}{l} 0 & 1 & 0 \\ 0 & 0 & 1 \\ 1 & 0 & 0 \end{array}], [\begin{array}{l} 0 & 0 & 1 \\ 1 & 0 & 0 \\ 0 & 1 & 0 \end{array}]} .$

(C₀, C₁) is a [(2, 3); 3, 3,1] scheme. The contrast α=(h−l)h+l=24=12 $α = \frac{(h - l)}{h + l} = \frac{2}{4} = \frac{1}{2}$ .

6.3.2 (n, n) Scheme

In this section, we show how to construct a (n, n) XOR-based visual cryptography scheme.

Proposition 2 [17] Let C₀ and C₁ be the set of all binary vectors of length n with even, odd number of ones, respectively. Then (C₀, C₁) is an [(n, n); 1, 1, 0] scheme.

An example is given as follows.

Example 2 Let C₀ and C₁ be

C 0 = ⎧ ⎩ ⎨ ⎪ ⎪ ⎡ ⎣ ⎢ 000 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 110 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 101 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 011 ⎤ ⎦ ⎥ ⎫ ⎭ ⎬ ⎪ ⎪, C 1 = ⎧ ⎩ ⎨ ⎪ ⎪ ⎡ ⎣ ⎢ 100 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 010 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 001 ⎤ ⎦ ⎥, ⎡ ⎣ ⎢ 111 ⎤ ⎦ ⎥ ⎫ ⎭ ⎬ ⎪ ⎪

$C_{0} = {[\begin{array}{l} 0 \\ 0 \\ 0 \end{array}], [\begin{array}{l} 1 \\ 1 \\ 0 \end{array}], [\begin{array}{l} 1 \\ 0 \\ 1 \end{array}], [\begin{array}{l} 0 \\ 1 \\ 1 \end{array}]}, C_{1} = {[\begin{array}{l} 1 \\ 0 \\ 0 \end{array}], [\begin{array}{l} 0 \\ 1 \\ 0 \end{array}], [\begin{array}{l} 0 \\ 0 \\ 1 \end{array}], [\begin{array}{l} 1 \\ 1 \\ 1 \end{array}]}$

(C₀, C₁) is a [(3, 3); 1,1, 0] scheme with contrast α=(h−l)h+l=1 $α = \frac{(h - l)}{h + l} = 1$ .

6.3.3 (k, n) Scheme

In this section we will introduce three (k, n) XOR-based visual cryptography schemes. Construction 1 and Construction 2 are given by Tuyls (see more detail in Reference [17]). Construction 3 comes from Droste’s OR-based visual cryptography [9] and Liu et al. [13] shows that it is also a (k, n) XOR-based visual cryptography scheme.

Before introducing Construction 1 and Construction 2, some definitions and theorems will be given, which are used in both constructions.

For describing the constructions, we use the following notation. If A is a binary matrix, then P(A) is the multi set of matrices obtained by permuting the columns of A. Moreover, we use the concept of (k, n) pairs, defined as follows.

Definition 2 [17]A pair (A, B) of binary n × m matrices is called a (k, n) pair if there exist numbers a₁, ⋯, a_k and b₁, ⋯, b_k such that

For each i with 1 ≤ i ≤ k, the weight of the sum of any i rows from A equals a_i and the weight of the sum of any i rows from B equals b_i, and
a_i = b_i for 1 ≤ i < k, and a_k ≠ b_k.

The importance of this definition stems from the following theorem.

Theorem 2 [17] If (A, B) is a (k, n)-pair of n × m matrices, then (P(A), P(B)) is a [(k, n); m, h, l] VC scheme with h = max(m − a_k, m − b_k) and l = min(m − a_k, m − b_k). Here, a_k and b_k denote the weight of the sum of any k rows from A and B, respectively.

Some notations are given here for later use. For a binary vector v of length m, we define Z(v) as the number of zeros in v, and H(v) as its number of ones. Moreover, we define the unbalance δ(v) of v by δ(v) = Z(v) − H(v). Note that δ(v) = m − 2H(v). For later use, we also observe that δ(v)=∑j=1m(−1)vj $δ (v) = \sum_{j = 1}^{m} {(- 1)}^{v_{j}}$ . With each binary n × m matrices A we associate two vectors δ(A) and N(A) of length 2ⁿ, with the components indexed by binary vectors of length n. For each binary vector x of length n, the x-th component δ_x(A) of δ(A) is defined as δ_x(A) = δ(x^TA), the unbalance of the sum of the rows in A whose index i satisfies x_i = 1; also, the x-th component N_x(A) of N(A) is defined as the number of columns of A that are equal to x. Lemma 1 will show that the vectors δ(A) and N(A) can be computed from each other. To make this precise, define the 2ⁿ × 2ⁿ matrix H by H(x, y) = (−1)⁽^x,^y⁾, where x, y are binary vectors of length n and (x,y)=∑i=1nxiyi $(x, y) = \sum_{i = 1}^{n} x_{i} y_{i}$ denotes the inner product of x and y. Then we have the following lemma:

Lemma 1 [17]

The matrix H is a Hadamard matrix, that is, HH^T = 2ⁿI.
The vectors δ(A) and N(A) are related by δ(A) = HN(A).

We are now in the position to prove a generalization of Theorem 2. Before stating it, we need one more notation: if A is a n × m matrix, then w(A_I) denotes the weight of the sum of the rows of A indexed by I. Note that w(AI)=12(m−δχ(I)(A)) $w (A_{I}) = \frac{1}{2} (m - δ_{χ (I)} (A))$ , where χ(I) is the characteristic vector of the set I.

Theorem 3 [17] Let A and B be n × m matrices such that for each I ⊂ {1, 2, ⋯, n} of size at most k − 1, w(A_I) = w(B_I). Assume moreover that there exist integers h and I such that h > I and that for each I ⊂ {1, 2, ⋯, n} of size k, m − w(A_I) ≥ h and m − w(B_I) ≤ l. Then (P(A), P(B)) is a [(k, n); m, h, l] VC scheme.

Proof The only nontrivial thing we have to prove is the indistinguishability. Let I ={i₁,·⋯, i_t} be a subset of {1, 2, ⋯, n} of size t < k. Let Ā and B¯¯¯ $\bar{B}$ denote the restrictions of A and B to the t rows indexed by I. Let x = {x₁, ⋯, x_t} be a binary vector of length t, and let X˜ $\tilde{X}$ be the binary vector of length n for which entry i_j is equal to x_j for j = 1, 2, ⋯, t, and whose other entries equal zero. It is clear that δ_x(Ā) = δ_x(Ā). As X˜ $\tilde{X}$ has weight at most t, we find, using properties of A and B, that δx(A¯¯¯)=δx(B¯¯¯) $δ_{x} (\bar{A}) = δ_{x} (\bar{B})$ .

Hence, by Lemma 1, the number of columns N_y(Ā) in Ā and the number of columns Ny(B¯¯¯) $N_{y} (\bar{B})$ in B¯¯¯ $\bar{B}$ of type y = {y₀, ⋯, y_t₋₁} are equal for all binary vectors y of length t. As a consequence, the matrices A and B are equal up to a column permutation, which readily implies indistinguishability in the rows under consideration in the multisets P(A) and P(B). ■

Construction 1

Now an explicit construction of (k, n) VC schemes for all n and all k with 1 ≤ k ≤ n will be given below. According to Theorem 3, it is sufficient to construct (k, n)-pairs for all such n and k. We will obtain such pairs by concatenation of matrices from a fixed collection of building blocks.

For each n and w with 0 ⩽ w ⩽ n, we let the n×(nw)-matrix $n \times (\begin{matrix} n \\ w \end{matrix}) -matrix$ C_w consist of all the (nw) $(\begin{matrix} n \\ w \end{matrix})$ different 0 − 1 column vectors of weight w, in any order.

In the sequel, we will need an explicit expression for the weight of the sum of any j rows from C_w. In Lemma 2, we state the result. Here and in what follows, we will use the standard convention that (nk)=0 $(\begin{matrix} n \\ k \end{matrix}) = 0$ whenever k < 0 or k > n.

Lemma 2 [17] The weight of the sum of any j rows, 1 ≤ j ≤ n, from C_w does not depend on the choice of the rows and is equal to M_j,_W, where

M j, w = \sum i o d d (j i) (n - j w - i) .

$M_{j, w} = \sum_{i o d d} (\begin{array}{l} j \\ i \end{array}) (\begin{array}{l} n - j \\ w - i \end{array}) .$

Let λ = (λ₀, ⋯, λ_n)^T be a vector of length n +1 with nonnegative integer entries. We define the matrix C(λ) to be the matrix consisting of the concatenation of λ₀ copies of C₀, λ₁ copies of C₁, ⋯, λ_n copies of the matrix C_n. It is clear that c₀(λ), the number of columns of C(λ), satisfies C0(λ)=∑wλw(nw) $C_{0} (λ) = \sum_{w} λ_{w} (\begin{matrix} n \\ w \end{matrix})$ .

According to Lemma 2, the weight of the sum of any j rows of C(λ) equals c_j(λ), where

c j (λ) = \sum w λ w \sum i o d d (j i) (n - j w - i) .

$c_{j} (λ) = \sum_{w} λ_{w} \sum_{i o d d} (\begin{array}{l} j \\ i \end{array}) (\begin{array}{l} n - j \\ w - i \end{array}) .$

Hence, if we define c(λ) = (c₀(λ), ⋯,c_n(λ))^T, then the above can also be written as c(λ) = Mλ, where M is the (n +1) × (n +1) matrix with entries the M_j,W as defined in Lemma 2 for j ≥ 1 and with M0,w=(nw) $M_{0, w} = (\begin{matrix} n \\ w \end{matrix})$ . Now suppose that λ and µ are nonnegative integer vectors such that Mλ and Mµ agree in position 0, 1, ⋯, k − 1, but differ in position k. Then (C(λ), C(µ)) is a (k, n) pair of matrices to which we can apply Theorem 2. The way to find such vectors λ and µ is described in Theorem 5, which uses Lemma 3, Corollary 4, and Lemma 4 below.

Lemma 3 [17] For 1 ≤ j ≤ n, 1 ≤ w ≤ n, we have that Mj,w=∑k≥1(−2)k−1(jk)(n−kw−k) $M_{j, w} = \sum_{k \geq 1} {(- 2)}^{k - 1} (\begin{matrix} j \\ k \end{matrix}) (\begin{matrix} n - k \\ w - k \end{matrix})$

The following corollary is a direct consequence of Lemma 3.

Corollary 4 Let R and L be the matrices defined as Rk,w=(n−kw−k) $R_{k, w} = (\begin{matrix} n - k \\ w - k \end{matrix})$ for 0 ≤ k, w ≤ n and L_0,0 = 1, L_i_,0 = L_0,_i =0 if i > 0, and Lj,k=(−2)k−1(jk) $L_{j, k} = {(- 2)}^{k - 1} (\begin{matrix} j \\ k \end{matrix})$ if 1 ≤ j, k ≤ n. Then M = LR.

We define the (n +1) × (n + 1) matrix S by Si,j=(−1)i+j(n−ij−i) $S_{i, j} = {(- 1)}^{i + j} (\begin{matrix} n - i \\ j - i \end{matrix})$ .

Lemma 4 [17]The matrices R and S are inverses of each other.

Theorem 5 [17] Let 1 ≤ k ≤ n − 1. Let θ = (θ₀, θ₁, ⋯, θ_n) be an integer-valued vector such that θ_j =0 if 0 ≤ j ≤ k − 1, and θ_k ≠ 0, and let ϕ := Sθ. For 0 ≤ j ≤ n, we define

λ j = max (0, ϕ j) a n d μ j = - min (0, ϕ j) .

$λ_{j} = \max (0, ϕ_{j}) a n d μ_{j} = - \min (0, ϕ_{j}) .$

Then λ and µ are vectors with nonnegative integer entries, and (C(λ), C(µ)) is a (k, n) pair. The parameters of the corresponding [(k, n); m, h, l] VC scheme satisfy the following equations:

m = 1 2 \sum w = 0 n | ϕ w | (n w), h - l = 2 k - 1 | θ k |, a n d h + l = m + 1 2 \sum w = 0 n | ϕ w | \sum i (- 1) i (k i) (n - k w - i) .

$\begin{array}{l} m = \frac{1}{2} \sum_{w = 0}^{n} | ϕ_{w} | (\begin{matrix} n \\ w \end{matrix}), h - l = 2^{k - 1} | θ_{k} |, \\ a n d h + l = m + \frac{1}{2} \sum_{w = 0}^{n} | ϕ_{w} | \sum_{i} {(- 1)}^{i} (\begin{matrix} k \\ i \end{matrix}) (\begin{matrix} n - k \\ w - i \end{matrix}) . \end{array}$

Proof As S has integer entries, ϕ has integer entries, hence λ and µ have nonnegative integer entries. Using Corollary 4, Lemma 4, and the fact that ϕ = λ − µ, we find that

c (λ) - c (μ) = M λ - M μ = M (λ - μ) = M ϕ = L R S θ = L θ .

$c (λ) - c (μ) = M λ - M μ = M (λ - μ) = M ϕ = L R S θ = L θ .$

As L is a lower triangular matrix, and θ_j = 0 if j < k, it follows that c_j(λ) − c_j(µ) if 0 ≤ j ≤ k − 1, and that

h - l = | c k (λ) - c k (μ) | = | L k, k θ k | = 2 k - 1 | θ k | .

$h - l = | c_{k} (λ) - c_{k} (μ) | = | L_{k, k} θ_{k} | = 2^{k - 1} | θ_{k} | .$

Moreover, 2m = c₀(λ) + c₀(µ) = c₀(λ + µ) = c₀(|ϕ|), and similarly (m − h) + (m − l) = c_k (λ + µ) = c_k (|ϕ|). ■

We will give an example to illustrate the construction.

Example 3 Take θ = (0, ⋯, 0, 1, 2, ⋯, n − k, n − k + l)^T. As ϕ = Sθ, we have by definition

ϕ i = \sum v = k - i - 1 n - i (- 1) v (n - i v) (v - k + i + 1) .

$ϕ_{i} = \sum_{v = k - i - 1}^{n - i} {(- 1)}^{v} (\begin{matrix} n - i \\ v \end{matrix}) (v - k + i + 1) .$

If k = 3, then ϕ = (2 − n, 1, 0, 0, ⋯, 1, n − 2). Consequently, λ = (0, 1, 0, ⋯, 0, n − 2) and µ = (n − 2, 0, ⋯, 0, 1, 0). That is to say, A = C(λ) consists of the n × n identity matrix and n − 2 columns of weight n, while B = C(µ) consists of n − 2 all-zero columns and furthermore contains each column of weight n − 1 once. It is clear that A and B both contain 2n − 2 columns. Straightforward computations show that a₁ = b₁ = n − 1, a₂ = b₂ = 2, a₃ = n + 1, b₃ = n − 3. As a consequence, we obtain a [(3, n); 2n − 2, n + 1, n − 3] VC scheme with α = 2/(n − 1).

Construction 2

In general, it seems hard to give manageable expression for the physical parameters of the schemes obtained with Construction 1. Tuyls [17] gave another explicit construction of a (k, n) VC scheme that has the virtue that the physical parameters of these schemes can readily be computed in Reference [17]. For constructing these matrices, they used maximum distance separable (MDS) codes over GF(q), the finite field with q elements. An [n, k] MDS code over GF(q) consists of q^k vectors of length n with entries from GF(q) such that any two codewords have a Hamming distance of at least n − k + 1. It is known that such a code exists whenever q + 1 ≥ n. Therefore, we choose q ≥ n − 1.

Lemma 5 [17] Let C be an [n, k] MDS code over GF(q). In any set of k positions, each of the q^k possible patterns occurs in exactly one of the words of C.

Proof Fix k positions, two codewords that agree in these positions, differ in at most n k positions. We conclude that each of the q^k patterns agrees with at most one codeword. As the number of patterns equals the number of codewords, each pattern agrees with exactly one codeword in the given positions. ■

Let C be an [n, k] MDS code over GF(q). Let U(C) be an n × q^k matrix over GF(q) in which each word from C occurs as a column once, and let A(C) be the binary n × q^k matrix obtained from U(C) by replacing each nonzero symbol in GF(q) by a ‘1,’ and the zero symbol in GF(q) by a ‘0.’

Proposition 3 [17] Let 1 ≤ j ≤ k, the sum of any j rows of A(C) has weight 12qk−j[qj−(2−q)j] $\frac{1}{2} q^{k - j} [q^{j} - {(2 - q)}^{j}]$ .

Proof Consider j rows from U(C). Lemma 5 implies that each of the q^j possible patterns occurs in these j positions in q^k⁻^j words from C. The number of patterns with w nonzero elements equals (jw)(q−1)w $(\begin{matrix} j \\ w \end{matrix}) {(q - 1)}^{w}$ . Each such pattern yields a column in A(C) with exactly w ones in the j prescribed rows. Consequently, the number of ones in the sum of the j rows from A(C) under consideration equals

q k - j \sum w o d d (j w) (q - 1) w = 1 2 q k - j ((q - 1 + 1) j - (- 1) j (q - 1 - 1) j) .

$q^{k - j} \sum_{w o d d} (\begin{matrix} j \\ w \end{matrix}) {(q - 1)}^{w} = \frac{1}{2} q^{k - j} ({(q - 1 + 1)}^{j} - {(- 1)}^{j} {(q - 1 - 1)}^{j}) .$

Proposition 4 [17] The sum of any k + 1 rows of A(C) has a weight 12q(qk+1−(2−q)k+1)−q−1q2k $\frac{1}{2 q} (q^{k + 1} - {(2 - q)}^{k + 1}) - \frac{q - 1}{q} 2^{k}$ .

Proof Consider k + 1 positions in C. Any two distinct words from C differ in at least two of these positions. That is, restricted to these k + 1 positions, C is a [k + 1, k, 2] code over GF(q). The number of words of weight w in such a code equals

b w = (k + 1 w) (q - 1) \sum j = 0 w - 2 (- 1) j (w - 1 j) q w - 2 - j = (k + 1 w) (( q - 1 ) w - 1 - ( - 1 ) w - 1 q) .

$\begin{array}{l} b_{w} = (\begin{matrix} k + 1 \\ w \end{matrix}) (q - 1) \sum_{j = 0}^{w - 2} {(- 1)}^{j} (\begin{matrix} w - 1 \\ j \end{matrix}) q^{w - 2 - j} \\ = (\begin{matrix} k + 1 \\ w \end{matrix}) (\frac{{(q - 1)}^{w - 1} - {(- 1)}^{w - 1}}{q}) . \end{array}$

The weight of the sum of the rows of A(C) corresponding to the k + 1 chosen positions is obtained by summing the above expressions of b_w over all odd w.

■

Theorem 6 [17] Let 2 ≤ k ≤ n − 1, and let q be a prime power not smaller than n − 1. There exists a[(k,n);qk,12(qk+(−1)k(q−2)k+(q−1)2k),12(qk+(−1)k(q−2)k)] $a [(k, n); q^{k}, \frac{1}{2} (q^{k} + {(- 1)}^{k} {(q - 2)}^{k} + (q - 1) 2^{k}), \frac{1}{2} (q^{k} + {(- 1)}^{k} {(q - 2)}^{k})]$ VC scheme with contrast (q − 1)2^k⁻¹/[q^k + (−1)^k(q − 2)^k + (q − 1)2^k⁻¹].

Proof Let C be an [n, k] MDS code over GF(q), and let D be an [n, k − 1] MDS code over the same field. In the notation of this section, let A equal A(C), and let B equal the concatenation of q copies of A(D). By combining the above results, (A, B) is a (k, n) pair, and (P(A), P(B)) is a VC scheme with parameters as claimed in the theorem. ■

Bounds on the parameters m, h and l

Tuyls provided bounds on the parameters of a (k, n)-VC scheme. We start by proving that maximal contrast schemes (l = 0) do not exist. We note that for OR-based schemes maximal contrast schemes can always be constructed.

Proposition 5 [17] Let 3 ≤ k < n. There exists neither a [(k, n); m, h, 0] VC scheme, nor a [(k, n); m, m, l] VC scheme.

Proof Let S = (C₀, C₁) be a [(k, n); m, h, 0] VC scheme and let B ∈ C₁.. Denote by σ¹, σ² two arbitrary rows in B. Since n − 2 ≥ k − 1, B contains (at least) k − 1 more rows. We denote these rows by σ³, ⋯, σ^k⁺¹. Since S is a scheme with l = 0, the XOR of σ¹, σ³, ⋯, σ^k⁺¹ is the all-one vector, as is the XOR of σ², σ³, ⋯, σ^k⁺¹. If follows that σ¹ = σ², so all rows of B are equal.

Next, let A ∈ C₀ and consider row i and j of A. As k ≥ 3, the indistinguishability property of Definition 1 implies that there is a B ∈ C₁ that agrees with A in these rows. As all rows of B are equal, the i-th and j-th row of A are equal. Since i and j are arbitrary, all rows of A are equal, so A = B, a contradiction.

The second statement follows from an analogous reasoning. ■

The next two propositions show that XOR-based VC schemes with odd and even k fundamentally differ.

Proposition 6 [17] Let k be odd, and let k < n. For each ϵ > 0, there are integers m, h, and l such that l/m < ϵ and a [(k, n); m, h, l] VC scheme exists.

Proposition 7 [17] Let k be even, and let k < n. If a [(k, n); m, h, l] VC scheme exists, then l/m ≥ 1/(k + 1).

Corollary 7 [17] For even k < n, the contrast of a k out of n VC scheme is at most k/(k + 2).

Proof Let S be a [(k, n); m, h, l] scheme. By definition, the contrast α is equal to (h − l)/(h + l). It is clear that α is increasing in h, and so α ≤ (m − l)/(m + l). As (m − l)/(m + l) is decreasing in l, we obtain an upper bound on α by plugging in the upper bound for l from Proposition 7. ■

Lemma 6 [17] Let k be an even integer. Let B be a binary matrix with n rows such that the sum of any k rows from B differs from 0. Then B has at least n − k + 2 distinct rows.

Lemma 7 [17] Let (C₀, C₁) be a [(k, n); m, h, l] VC scheme with k ≥ 3, and let c₁ and c₂ be two rows of a matrix in C₀ and hence also two rows of some matrix in C₁. Then, the Hamming distance between c₁ and c₂ satisfies

d (c 1, c 2) \leq min {2 l, 2 (m - h)} .

$d (c_{1}, c_{2}) \leq \min {2 l, 2 (m - h)} .$

Proposition 8 [17] Let k be even, k ≥ 4. If a [(k, n); m, h, l] VC scheme exists, then n−k+1≤∑i=0min(l,2(m−h))(mi) $n - k + 1 \leq \sum_{i = 0}^{min (l, 2 (m - h))} (\begin{matrix} m \\ i \end{matrix})$

Proof Let k be even, k ≥ 4, and let S = (C₀, C₁) be a [(k, n); m, h, l] scheme. Let B be a matrix in C₁ . As l ≠ m, no k rows of B add to the all-zero word. Lemma 6 implies that B has at least n − k + 2 distinct rows. Since according to Lemma 7, all rows from B have a Hamming distance at most 2(m − h) to its top row, we obtain n−k+2≤∑i=02(m−h)(mi) $n - k + 2 \leq \sum_{i = 0}^{2 (m - h)} (\begin{matrix} m \\ i \end{matrix})$

Now we assume without loss of generality that the top n — k + 1 rows of B are distinct. Let c be the sum of the k − 1 bottom rows of B. For 1 ≤ i ≤ n − k + 1, the sum of c and the i-th row of B contains at most l ones; that is to say, the i-th row of B has a Hamming distance at most l to the complement of c. As the n − k + 1 top rows of B are distinct, n − k + 1 is at most the number of vectors at distance at most l from the complement of c, so n−k+1≤∑i=0l(mi) $n - k + 1 \leq \sum_{i = 0}^{l} (\begin{matrix} m \\ i \end{matrix})$ . ■

Construction 3

Droste [9] proposed an algorithm to construct a (k, n)-VC scheme under the OR operation. Liu et al. [13] proved that the basis matrices constructed by that algorithm are also the basis matrices of a (k, n)-VC scheme under the XOR operation. Droste’s algorithm can be described as follows.

For easy specification, we call a column of a Boolean matrix with an even number of 1’s even and otherwise odd. If B is a Boolean matrix, we define P(B) as the multiset of matrices obtained by permuting the columns of B, i.e., each permutation corresponds exactly to one element of P(B).

The following lemma will be needed later.

Lemma 8 [9] Let B₀ and B₁ be two n × m Boolean matrices so that there exist m − 2^k⁻¹ column vectors v1,⋯,vm−2k−1∈{0,1}k $v_{1}, \dots, v_{m - 2^{k - 1}} \in {0, 1}^{k}$ with the following property: for every {i₁, ⋯, i_k} ⊆ {1, ⋯, n} the restriction of B₀ (resp. B₁) to the rows i₁, ⋯, i_k contains every even (resp. odd) column of length k exactly once and all columns v1,⋯,vm−2k−1 $v_{1}, \dots, v_{m - 2^{k - 1}}$ . Then P(B₀) and P(B₁) are a k out of n secret sharing scheme with relative contrast 1/m; here the contrast is defined as α=h−lm $α = \frac{h - l}{m}$ .

The main idea for construction is to start with an empty matrix (which has no columns) and, for various q ∈ {0, ⋯, n} and all (nq) $(\begin{matrix} n \\ q \end{matrix})$ columns, which have exactly q 1’s. Because of the symmetry of this construction with respect to rows, all restrictions of such a matrix of k rows contain the same columns. And one can exactly determine which columns they contain.

Lemma 9 [9] For q ∈ {0, ⋯, n} let B be an n×(nq) $n \times (\begin{matrix} n \\ q \end{matrix})$ Boolean matrix that contains every column with q 1’s exactly once. Then every restriction of B to k rows (with k ≤ n) contains every column with p 1’s exactly (n−kq−p) $(\begin{matrix} n - k \\ q - p \end{matrix})$ -times (where p ∈ max{0, q − (n − k), ⋯, min(q, k)}).

Lemma 9 shows a possibility to expand a matrix, if we add to all its restrictions every column with p 1’s exactly once: just add all columns with q = p or q = p + n − k 1’s to the entire matrix. So a subroutine ADD(p, B) adds to each restriction of k rows of a matrix B every column with p 1’s by adding columns to the entire matrix.

ADD(p, B)

Step 1: If p ≤ k − p, add all the columns with q = p 1’s to B.

Step 2: If p ≥ k − p, add all the columns with q = p + n − k 1’s to B.

The subroutine makes it easy to construct basis matrices B₀ (resp. B₁) whose restrictions always contain every even (resp. odd) column. But besides these columns, every restriction of B₀ and B₁ can contain remaining columns (which are the same for all restrictions of one matrix because of the construction principle). To be appropriate for a k out of n scheme these remaining columns have to be the same for B₀ and B₁ (see Lemma 8). So the remaining columns of every restriction of B₀, which are not remaining columns of every restriction of B₁, called the rest of B₀, have to be added to every restriction of B₁ and vice versa. In most cases, these added columns will create new rests that cause new columns to be added.

Droste’s algorithm

Step 1: For all even p ∈ {0, ⋯, k}, call ADD(p, B_o).

Step 2: For all odd p ∈ {0, ⋯, k}, call ADD(p, B₁).

Step 3: While the rests of B₀ and B₁ are not empty:

Add to B₀ all columns adjusting the rest of B₁ by calling ADD.
Add to B₁ all columns adjusting the rest of B₀ by calling ADD.

Theorem 8 shows that Droste’s algorithm also generates a (k, n)-VC scheme under the XOR operation, by Liu et al. [13].

Theorem 8 [13] Droste’s algorithm generates the basis matrices of a (k, n)-VCS, B₀ and B₁, under the XOR operation.

Proof We need to prove that the basis matrices B₀ and B₁ satisfy the contrast and security conditions of Definition 1.

First, for the contrast condition, we need to prove that the Hamming weight of the stacking (XOR operation) of any k out of n rows of B₀ is less than that of B₁. Denote Bk0 $B_{0}^{k}$ (resp. Bk1 $B_{1}^{k}$ ) as the submatrix generated by restricting to arbitrary k rows of B₀ (resp. B₁). According to the Steps 1 and 2 in Droste’s algorithm, it is clear that all the even (resp. odd) columns appear in Bk0 $B_{0}^{k}$ (resp. odd). Denote Ik0 $I_{0}^{k}$ (resp.Ik1 $I_{1}^{k}$ ) as the matrix whose columns are all the even (resp. odd) columns of length k. Because Droste’s algorithm terminates when the rests of B₀ and B₁ are empty, it implies that the remaining columns of B₀ and B₁ are the same, that is, Bk0Ik0=Bk1Ik1 $B_{0}^{k} I_{0}^{k} = B_{1}^{k} I_{1}^{k}$ . Denote R as the remaining columns of B₀ and B₁, we have Bk0=Ik0∪R, Bk1=Ik1∪R $B_{0}^{k} = I_{0}^{k} \cup R, B_{1}^{k} = I_{1}^{k} \cup R$ . Because the XOR (operation) of the entries of an even (resp. odd) column is 0 (resp. 1), we have the result that the Hamming weight of the stacking (XOR operation) of the rows of Bk0 $B_{0}^{k}$ is less than that of Bk1 $B_{1}^{k}$ . Hence, the contrast condition is satisfied.

Second, for the security condition, we need to prove that the submatrices of any less than k rows of B₀ and B₁ have the same columns, and only in such a case, all the column permutations of the two submatrices will generate the same collection, that is, the security condition is satisfied. Denote Bt0 $B_{0}^{t}$ (resp. Bt1 $B_{1}^{t}$ ) as the submatrix generated by restricting to arbitrary t rows of B₀ (resp. B₁), where t < k. Denote Bk0 $B_{0}^{k}$ (resp. Bk1 $B_{1}^{k}$ ) as the submatrix generated by concatenating Bt0 $B_{0}^{t}$ (resp. Bt1 $B_{1}^{t}$ ) and arbitrary k − t rows chosen from the remaining rows of B₀ (resp. B₁) (other than the rows in Bt0 $B_{0}^{t}$ and Bt1 $B_{1}^{t}$ ). As discussed above, we have Bk0=Ik0∪R, Bk1=Ik1∪R $B_{0}^{k} = I_{0}^{k} \cup R, B_{1}^{k} = I_{1}^{k} \cup R$ , where Ik0 $I_{0}^{k}$ (resp. Ik1 $I_{1}^{k}$ ) is the matrix that contains all the even (resp. odd) columns of length k. Note that Ik0 $I_{0}^{k}$ and Ik1 $I_{1}^{k}$ are the basis matrices of a (k, k)-VC scheme proposed in References [16, 3]. We have the result that the submatrices generated by restricting to any t rows of B₀ and B₁ have the same columns. Hence, the submatrices generated by restricting to any t rows of B₀ and B₁ have the same columns, that is, the security condition is satisfied. ■

Besides the above schemes, Liu et al. [15] proposed a step construction to construct XOR-based visual cryptography for general access structure by applying (2, 2)-VCS recursively, where a participant may receive multiple share images. Readers can refer to [15] for more detail. An approach to construct extended XOR-based visual cryptography was proposed in Reference [14].

6.4 Visual Cryptography Scheme with Reversing

First we introduce the following notations that will be used throughout the section. Let A‖B denote the concatenation of two matrices A and B of the same number of rows. Let |X| be the number of elements in set X. The symbol ”⊕” denotes an XOR operation. Let GRAY(P) be the gray level of a pixel P and defined as GRAY(P) = |blαck pixel|/m.

6.4.1 (k, n) VC Scheme Using Cyclic-Shift Operation

Let the shadow image s = [s_ijk], and the element s_ijk is the secret pixel s_ij in a (W × H)-pixel secret image replaced by m subpixels (s_ij₁, s_ij₂, ⋯, s_ijm), where i ∈ [1, W], j ∈ [1, H], and k ∈ [1, m]. The cyclic-shift operation is Γ([s_ijk]) = [γ(s_ijk)], where γ(•) is a 1-bit cyclical right shift function, i.e.,

γ (s i j 1, s i j 2, \dots, s i j m) = (s i j m, s i j 1, \dots, s i j m - 1)

$γ (s_{i j 1}, s_{i j 2}, \dots, s_{i j m}) = (s_{i j m}, s_{i j 1}, \dots, s_{i j m - 1})$

A matrix operation Γ(•) cyclically shifts right one subpixel in every m subpixels (for a secret pixel) in the shadow image.

When the difference of whiteness ”h − l” is odd, we can design an ideal contrast VC scheme even when the underlying VC scheme with reversing is nonperfect black. At this time the decoding needs an XOR operation.

Yang et al.’s scheme [25] is described in a pseudo-code style below in terms of its construction procedure and the revealing procedure.

Yang et al.’s algorithm for a (k,n)-VC scheme

Distribution phase.

Step 1: Given a secret image, the dealer performs a (k, n) nonperfect black VC scheme(NPBVCS) to generate n shadows, s11,⋯,s1n $s_{1}^{1}, \dots, s_{n}^{1}$ for the first run.

Step 2: The dealer generates the shadows srj=Γ(sr−1j) $s_{j}^{r} = Γ (s_{j}^{r - 1})$ for the rth run, r = 2, ⋯, m. Note that the shadow should be labeled as to which run it is, for easy management by the participant.

Step 3: The dealer distributes m shadows s1j,⋯,smj $s_{j}^{1}, \dots, s_{j}^{m}$ to Participant j, j = 1, ⋯, n.

Step 4: Finally, every participant holds m shadows.

Reconstruction phase.

Step 1: To recover the secret within m runs, at least k participants, Participants j₁, ⋯, j_k, offer their (k × R) shadows sij1,⋯,sijk $s_{j 1}^{i}, \dots, s_{j k}^{i}$ , i = 1, ⋯R, for reconstruction.

Step 2: Stack the shadows srj1,⋯,srjk $s_{j 1}^{r}, \dots, s_{j k}^{r}$ to reconstruct the image T_r in the rth run.

T r = s r j 1 + s r j 2 + \dots + s r j k, r = 1, \dots, m

$T_{r} = s_{j 1}^{r} + s_{j 2}^{r} + \dots + s_{j k}^{r}, r = 1, \dots, m$

Step 3: Finish m runs by using an XOR operation to reconstruct U′ = T₁ ⊕ ⋯ ⊕ T_m.

Step 4: If ”m − h” is even (i.e., ”m − l” is odd) then the reconstructed image is U′; otherwise, the reconstructed image is U′.

Theorem 9 [25] The whiteness percentages of the white and black secret pixels for Yang et al.’s algorithm are P_W = 100% and P_W = 0%, respectively, after finishing m runs.

Proof There are ”m − h” B ”h” W (respectively ”m − l” B ”l” W) subpixels for the white (respectively black) secret pixel. When shifting right one bit m times, there are m h (respectively m − l) black subpixels for the white (respectively black) secret pixels in U′. Suppose ”m − h” is even (respectively odd); an XOR operation will result in all white subpixels for the white pixels in U′ (respectively U′). Thus, the P_W of the white secret pixel is 100%. On the other hand, even (respectively odd) ”m − h” means odd (respectively even) ”m − l” since ’h − l’ is odd. It is evident that an XOR operation will result in all black subpixels for the black pixels in U′ (respectively U′), i.e., the P_W of the black secret pixel is 0%. ■

An example (2,4) – NPBVCS is given below as a demonstration for Yang et al.’s algorithm.

Example 4 Suppose in (2, 4)-VCS with basis matrices B₀ and B₁.

B 0 = ⎡ ⎣ ⎢ ⎢ ⎢ ⎢ 1000100010001000 ⎤ ⎦ ⎥ ⎥ ⎥ ⎥, B 1 = ⎡ ⎣ ⎢ ⎢ ⎢ ⎢ 1000010000100001 ⎤ ⎦ ⎥ ⎥ ⎥ ⎥ .

$B_{0} = [\begin{matrix} 1000 \\ 1000 \\ 1000 \\ 1000 \end{matrix}], B_{1} = [\begin{matrix} 1000 \\ 0100 \\ 0010 \\ 0001 \end{matrix}] .$

The distribution phase is shown in Table 6.1 and the reconstruction phase is shown in Table 6.2 and Table 6.3.

Distribution phase:

Table 6.1 Distribution phase of (2, 4)-VCS using Yang et al.’s [25] algorithm.

Images

Reconstruction phase

Table 6.2 Reconstruction of participant 1 and 2 using Yang et al.’s [25] algorithm.

Pixel	First run T1=s11+s12 $T_{1} = s_{1}^{1} + s_{2}^{1}$	Second run T2=s21+s22 $T_{2} = s_{1}^{2} + s_{2}^{2}$	Third run T3=s31+s32 $T_{3} = s_{1}^{3} + s_{2}^{3}$	Fourth run T4=s41+s42 $T_{4} = s_{1}^{4} + s_{2}^{4}$	U′¯¯¯¯ $\bar{U^{'}}$
White	(1000)	(0100)	(0010)	(0001)	(0000)
Black	(1100)	(0110)	(0011)	(1001)	(1111)

Table 6.3 Reconstruction of participant 3 and 4 using Yang et al.’s [25] algorithm.

Pixel	First run T1=s13+s14 $T_{1} = s_{3}^{1} + s_{4}^{1}$	Second run T2=s23+s24 $T_{2} = s_{3}^{2} + s_{4}^{2}$	Third run T3=s33+s34 $T_{3} = s_{3}^{3} + s_{4}^{3}$	Fourth run T4=s43+s44 $T_{4} = s_{3}^{4} + s_{4}^{4}$	U′¯¯¯¯ $\bar{U^{'}}$
White	(1000)	(0100)	(0010)	(0001)	(0000)
Black	(0011)	(1001)	(1100)	(0110)	(1111)

We can see that the white pixel is reconstructed as four white subpixels and the black pixel is reconstructed as four black subpixels.

6.4.2 A Scheme for General Access Structure

Let P = {1, 2, ⋯, n} be a set of participants, 2^P represents the set of all subsets of P. Let Γ_qual ⊆ 2^P and Γ_forb ⊆ 2^P, where Γ_qual; ∩ Γ_forb = ϕ. The members of Γ_qual;(resp. Γ_forb) is called qualified sets (resp. forbidden sets). The Γ = (Γ_qual, Γ_forb) is called the access structure. Define Γ₀ = {A ∈ Γ_qual: A′ ∉ Γ_qual for all A′ ⊂ A} be all the minimal qualified sets [1].

Suppose Γ0={ΓQ1,⋯,ΓQt} $Γ_{0} = {Γ_{Q_{1}}, \dots, Γ_{Q_{t}}}$ , by employing the optimal (k, k)-scheme [16], the basis matrices L₀ and L₁ are constructed as follows:

Let kp=∣∣ΓQp∣∣ $k_{p} = | Γ_{Q_{p}} |$ , and ΓQp={p1,⋯,pkp} $Γ_{Q_{p}} = {p_{1}, \dots, p_{k_{p}}}$ , for 1 ≤ p ≤ t. We will construct a n×2kp−1 $n \times 2^{k_{p} - 1}$ matrix Eip,i∈{0,1} $E_{p}^{i}, i \in {0, 1}$ , i ∈ {0, 1} according to the following steps: the p_i row of E0p $E_{p}^{0}$ is the i-th row of the basis matrix B₀ of the (k_p, k_p)-scheme. The elements of other rows of E0p $E_{p}^{0}$ are all 1’s.

Then L0=E01 $L_{0} = E_{1}^{0}$ . The construction E1p $E_{p}^{1}$ of is similar to E0p $E_{p}^{0}$ except we replace the p_i row of from the basis matrix B₁ of the (k_p, k_p)-scheme instead of B₀. Then L1=E11∥⋯∥E1t $L_{1} = E_{1}^{1} ‖ \dots ‖ E_{t}^{1}$ .

Lemma 10 [10] The L₀ and L₁ are a pair of basis matrices of a perfect black VC scheme for Γ₀ such that the expansion rate is m=2|Q1−1|+⋯+2|Qt−1| $m = 2^{| Q_{1} - 1 |} + \dots + 2^{| Q_{t} - 1 |}$ and GRAY(white) = 1 − 1/m.

We now construct an n×2kp−1 $n \times 2^{k_{p} - 1}$ matrix F_p, which has the property that the elements in p_i row of F_p are all 0’s and the other rows of F are all 1’s, here 1 ≤ p ≤ t. Then an auxiliary basis matrix A₀ = F₁|⋯|F_i.

Hu and Tzeng [10] algorithm for minimal access structure

Input:

Γ₀ on a set ρ of n participants.
Let C0p $C_{p}^{0}$ and C1p $C_{p}^{1}$ be the collection of basis Boolean matrices E0p $E_{p}^{0}$ and E1p $E_{p}^{1}$ , where 1 ≤ p ≤ |Γ₀|.
Let CAp $C_{p}^{A}$ be the collection of matrix F_p.

Output:

The reconstructed secret image U.

Distribution phase:

The dealer encodes each transparency t_i as |Γ₀| subtransparecies t_i,p and each subblock consists of one secret image. For 1 ≤ p ≤ |Γ₀|, each white (resp. black) pixel on subblock t_i,p is encoded using n×2kp−1 $n \times 2^{k_{p} - 1}$ matrices E0p $E_{p}^{0}$ (resp. E1p $E_{p}^{1}$ ). To share a white (resp. black) pixel, the dealer performs the following steps:

Step 1: Randomly choose a matrix S0p $S_{p}^{0}$ in C0p $C_{p}^{0}$ (resp. S1p $S_{p}^{1}$ in C1p $C_{p}^{1}$ ), and a matrix A0p=[ai,j] $A_{p}^{0} = [a_{i, j}]$ in CAp $C_{p}^{A}$ .

Step 2: For each participant i, put a white (resp. black) pixel on the subblock t_i,p if s_i,j = 0 (resp. s_i,j = 1).

Step 3: For each participant i, put a white (resp. black) pixel on the subblock A_i,p if a_i,j·= 0 (resp. a_i,j·= 1).

Reconstruction phase:

Let Qp={i1,⋯,ikp} $Q_{p} = {i_{1}, \dots, i k_{p}}$ be the minimal qualified set in Γ₀, participants in Q_p reconstruct the secret image by:

Step 1: XORing all the shares tj and stacking all the shares A_j for j = 1, ⋯, k_p and obtain T and T=t1 ⊕⋯⊕ tkp,A=A1+A2+⋯+Akp $T = t_{1} \oplus \dots \oplus t_{k_{p}}, A = A_{1} + A_{2} + \dots + A_{k_{p}}$ respectively.

Step 2: Computing U = (T + A) ⊕ A.

Lemma 11 [10] The (k, k)-VC scheme [16] is an ideal contrast (k, k)-VC scheme with reversing.

Proof k participants perform XOR operations on the k transparencies by computing t₁ ⊕ t₂ ⊕ ⋯·⊕ t_k. It is easy to see that the white pixels are all white since S₀ has an even number of 1’s; whereas the black pixels are all black since S₁ has an odd number of 1’s. ■

Theorem 10 [10] Let Γ = (P, Q, F) be an access structure on a set ρ of n participants. Then the basis matrices B₀, B₁, and A₀ constitute a compatible ideal contrast VC scheme with reversing in two runs.

Proof It is obvious that the VC scheme is security. The basis matrix Ao also reveals absolutely no information about the secret image since no secret is encoded into the shares A_j for j = 1, ⋯, k_p.

Let L0=E01∥⋯∥E0t, L1=E11∥⋯∥E1t $L_{0} = E_{1}^{0} ‖ \dots ‖ E_{t}^{0}, L_{1} = E_{1}^{1} ‖ \dots ‖ E_{t}^{1}$ and A₀ = F₁‖ ⋯ ‖F_t be the basis matrices for a VC scheme with reversing, constructed using the previously described technique. Without loss of generality, let Γ₀ = {Q₀, ·⋯, Q_t} and X = Q₁, X be a subset of qualified participants. Since the secret image is reconstructed by computing (T + A) ⊕ A, we will prove that the general access structure has an ideal contrast, i.e., H((E01+F1)⊕F1)=0, H((E11+F1)⊕F1)=2|Q1|−1 $H ((E_{1}^{0} + F_{1}) \oplus F_{1}) = 0, H ((E_{1}^{1} + F_{1}) \oplus F_{1}) = 2^{| Q_{1} | - 1}$ and H((Ebi+Fi)⊕Fi) $H ((E_{i}^{b} + F_{i}) \oplus F_{i})$ for i = 2, ⋯, |Γ| and b = 0, 1. It results that H((E01+F1)⊕F1)= H((E01+0)⊕0)=H(E01⊕0)=H(E01)=0 $H ((E_{1}^{0} + F_{1}) \oplus F_{1}) = H ((E_{1}^{0} + 0) \oplus 0) = H (E_{1}^{0} \oplus 0) = H (E_{1}^{0}) = 0$ by Lemma 11, and H((E11+F1)⊕F1)= H((E11+0)⊕0)=H(E11⊕0)=H(E11)=2|Q1|−1 $H ((E_{1}^{1} + F_{1}) \oplus F_{1}) = H ((E_{1}^{1} + 0) \oplus 0) = H (E_{1}^{1} \oplus 0) = H (E_{1}^{1}) = 2^{| Q_{1} | - 1}$ by Lemma 11, whereas, H((Ebi+Fi)⊕Fi)= H((Ebi+1)⊕1)=w(1⊕1)=0 $H ((E_{i}^{b} + F_{i}) \oplus F_{i}) = H ((E_{i}^{b} + 1) \oplus 1) = w (1 \oplus 1) = 0$ for i = 2, ⋯, |Γ₀| and b = 0, 1. ■

We give the following example to illustrate the construction method above.

Example 5 Let p = {1, 2, 3, 4} and Γ₀ = {{1, 2}, {1, 3}, {2, 3}}. Then the basis matrices L₀, L₁, and A are constructed as follows according to the method above. B₀ and B₁ are basis matrices of a (2, 2) – VC scheme.

B 0 = [1010], B 1 = [1001] . E 01 = ⎡ ⎣ ⎢ 101010 ⎤ ⎦ ⎥, E 02 = ⎡ ⎣ ⎢ 111010 ⎤ ⎦ ⎥, E 03 = ⎡ ⎣ ⎢ 101110 ⎤ ⎦ ⎥, E 11 = ⎡ ⎣ ⎢ 100111 ⎤ ⎦ ⎥, E 12 = ⎡ ⎣ ⎢ 111001 ⎤ ⎦ ⎥, E 13 = ⎡ ⎣ ⎢ 101101 ⎤ ⎦ ⎥ . L 0 = ⎡ ⎣ ⎢ 101110101011111010 ⎤ ⎦ ⎥, L 1 = ⎡ ⎣ ⎢ 101110011011110101 ⎤ ⎦ ⎥ . F 1 = ⎡ ⎣ ⎢ 000011 ⎤ ⎦ ⎥, F 2 = ⎡ ⎣ ⎢ 110000 ⎤ ⎦ ⎥, F 3 = ⎡ ⎣ ⎢ 001100 ⎤ ⎦ ⎥, A 0 = ⎡ ⎣ ⎢ 001100000011110000 ⎤ ⎦ ⎥ .

$\begin{array}{l} B_{0} = [\begin{matrix} 10 \\ 10 \end{matrix}], B_{1} = [\begin{matrix} 10 \\ 01 \end{matrix}] . \\ E_{1}^{0} = [\begin{array}{l} 10 \\ 10 \\ 10 \end{array}], E_{2}^{0} = [\begin{array}{l} 11 \\ 10 \\ 10 \end{array}], E_{3}^{0} = [\begin{array}{l} 10 \\ 11 \\ 10 \end{array}], E_{1}^{1} = [\begin{array}{l} 10 \\ 01 \\ 11 \end{array}], E_{2}^{1} = [\begin{array}{l} 11 \\ 10 \\ 01 \end{array}], E_{3}^{1} = [\begin{array}{l} 10 \\ 11 \\ 01 \end{array}] . \\ L_{0} = [\begin{array}{l} 101110 \\ 101011 \\ 111010 \end{array}], L_{1} = [\begin{array}{l} 101110 \\ 011011 \\ 110101 \end{array}] . \\ F_{1} = [\begin{array}{l} 00 \\ 00 \\ 11 \end{array}], F_{2} = [\begin{array}{l} 11 \\ 00 \\ 00 \end{array}], F_{3} = [\begin{array}{l} 00 \\ 11 \\ 00 \end{array}], A_{0} = [\begin{array}{l} 001100 \\ 000011 \\ 110000 \end{array}] . \end{array}$

The distribution phase is shown in Table 6.4 and the reconstruction phase is shown in Tables 6.5, 6.6, and 6.7.

Distribution phase

Table 6.4 Distribution phase of the visual cryptography with minimal access structure Γ₀ = 1, 2, 1, 3, 2, 3 using Hu and Tzeng [10] algorithm.

Images

Reconstruction phase

Table 6.5 Reconstruction of participant 1 and 2 using Hu and Tzeng [10] algorithm.

Pixel	First run	Second run	U = (T + A) ⊕ A
	T = t₁ ⊕ t₂	A = A₁ + A₂
Black	(110101)	(001111)	(110000)
White	(000101)	(001111)	(000000)

Table 6.6 Reconstruction of participant 1 and 3 using Hu and Tzeng [10] algorithm.

Pixel	First run	Second run	U = (T + A) ⊕ A
	T = t₁ ⊕ t₃	A = A₁ + A₃
Black	(011011)	(111100)	(000011)
White	(010100)	(111100)	(000000)

Table 6.7 Reconstruction of participant 2 and 3 using Hu and Tzeng [10] algorithm.

Pixel	First run	Second run	U = (T + A) ⊕ A
	T = t₂ ⊕ t₃	A = A₂ + A₃
Black	(101110)	(110011)	(001100)
White	(010001)	(110011)	(000000)

6.5 Secret Sharing Scheme Using Boolean Operation

This section gives an introduction to some methods using an XOR Boolean operation directly without using basis matrices to construct secret sharing schemes. The algorithms of three schemes: the probabilistic (2, n) secret sharing scheme, (n, n) secret sharing scheme, and (k, n) secret sharing scheme will be described.

Consider a secret image A with size N_R × N_C. Each pixel of A can take any one of c different colors or gray levels. Image A is represented by an integer matrix A. A=[aij]NR×NC $A . A = {[a_{i j}]}_{N_{R} \times N_{C}}$ , where i = 1, 2, ⋯ , N_R, j = 1, 2, ⋯ , N_C, and a_ij ∈ {0,1, ⋯ , c − 1}. We have c = 2 for a binary image and c = 256 for grayscale image with one byte per pixel. In a color image with one byte per pixel, the pixel value can be an index to a color table, thus, c = 256. In a color image using an RGB model, each pixel has three integers: R(red), G(green), and B(blue). If each R, G, or B takes a value between 0 and 255, we have c = 256³. This integer matrix is also called A and will be treated as equivalent to the secret image A itself. The symbol ”&” denotes an AND operation in the following construction.

6.5.1 (2, n) Scheme

To solve the pixel expansion problem with VSS schemes, Ito et al. [11], Yang [24] and Cimato et al. [6] proposed probabilistic VSS models. The frequency of white pixels in a white (or black) area is used to display the contrast of the recovered image. In reconstructing the secret image, the ”OR”-ed operation of pixels of the shadows is the same as the stacking operation of subpixels in the nonprobabilistic VSS schemes. They defined p₀ (resp. p₁) as the appearance probability of a white pixel in a white (resp. black) area of the recovered image. For a fixed threshold probability 0 ≤ p_TH ≤ 1 and relative contrast α ≥ 0, if p₀ ≥ p_TH and p₁ ≤ p_TH − α, the frequency of white pixels in a white area of the recovered image should be higher than that in a black area.

Wang et al. [23] proposed a probabilistic (2, n) secret sharing scheme for binary images. Boolean XOR and AND operations are employed, and n + 1 distinct random matrices are generated as intermediate results. The scheme is described in a pseudo-code style below in terms of its input, output, the construction procedure, and the revealing procedure.

Wang et al.’s [23] algorithm for (2,n) scheme

Input: an integer n with n ≥ 2, and the secret image A.

Output: n distinct matrices A₁ ⋯ , A_n, called shadow images.

Construction:

Step 1: Generate n +1 random matrices B₁, ⋯ , B_n₊₁.

Step 2: Compute n intermediate matrices C₁, ⋯ , C_n with C_i = B_i&A for i = 1 , ⋯ , n.

Step 3: Compute n shadow images A₁, ⋯ , A_n with A_i = B_n₊₁ ⊕ C_i for i = 1, ⋯ , n.

Revealing: A′ = A_i ⊕ A_j where i, j ∈ {1, 2, ⋯ , n} and i ≠ j.

For integer scalar inputs between 0 and c−1, each operand is represented in binary and the operation is carried out bit-by-bit. For example, when a = 125 and b = 18, the XOR between these two integers is

a \oplus b = (125) 10 \oplus (18) 10 = (01111101) 2 \oplus (00010010) 2 = (01101111) 2 = (111) 10

$a \oplus b = {(125)}_{10} \oplus {(18)}_{10} = {(01111101)}_{2} \oplus {(00010010)}_{2} = {(01101111)}_{2} = {(111)}_{10}$

For matrix inputs, the XOR operation of two N_R × N_C matrices is defined pixel-wise. That is,

A \oplus B = [a i j \oplus b i j], where i = 1, 2, \dots, N R, j = 1, 2, \dots, N c .

$A \oplus B = [a_{i j} \oplus b_{i j}], where i = 1, 2, \dots, N_{R}, j = 1, 2, \dots, N_{c} .$

The AND operation for integer scalar operands and matrix operands can be defined similarly.

In all computations, every pixel is handled individually, separated from other pixels. Therefore, to make the context clear, we denote pixel A_i(s,t) simply as A_i. With the above construction procedure, for a ”0” pixel in A and any i, we have C_i = B_i&0 = 0 and A_i = B_n₊₁ ⊕ C_i = B_n₊₁, thus

A' = A i \oplus A j = B n + 1 \oplus B n + 1 = 0.

$A^{'} = A_{i} \oplus A_{j} = B_{n + 1} \oplus B_{n + 1} = 0.$

For a ”1” pixel in A, C_i = B_i&1 = B_i and A_i = B_n₊₁ ⊕ B_i, thus

A' = A i \oplus A j = B n + 1 \oplus B n + 1 \oplus B i \oplus B j = B i \oplus B j

$A^{'} = A_{i} \oplus A_{j} = B_{n + 1} \oplus B_{n + 1} \oplus B_{i} \oplus B_{j} = B_{i} \oplus B_{j}$

which could be 0 or 1. In other words, between the original image A and a reconstructed image A′, the ”0” bits are kept the same and the ”1” bits may or may not changed. With any single shadow image, no information of A is revealed because of the random nature of the matrices B′s. It is easy to verify that the n matrices A₁, A₂, ⋯ , A_n are n distinct random matrices from construction method above, each A_i (i = 1, ⋯ , n) does not contain any information of the original matrix A.

Associated Shamir’s secret sharing scheme and a gradual search algorithm for a single bitmap block truncation coding with the above (2, n) scheme, the secret sharing scheme for color images was proposed in Reference [3]. Combined the above (2, n) scheme with voting strategy, the probabilistic visual secret sharing scheme for grayscale images was provided in Reference [4]. Based on the above proposed (2, n) scheme, the matrices B₁, B₂, ⋯ , B_n are chosen according to Yang’s into ”probabilistic VC scheme and the (2, n) probabilistic scheme with improved contrast was given in Reference [19].

6.5.2 (n, n) Scheme

The construction steps are given in the context of grayscale images. It is trivially applicable to binary images and can be easily extended to color images.

Wang et al.’s [23] algorithm for (n,n) scheme

Input: an integer n with n ≥ 2, and the secret image A.

Output: n distinct matrices A₁, ⋯ , A_n, called shadow images.

Construction:

Step 1: Generate n − 1 random matrices B₁, ⋯ , B_n₋₁.

Step 2: Compute the shadow images as below:

A₁ = B₁, A₂ = B₁ ⊕ B₂,⋯⋯, A_n₋₁ = B_n₋₂ ⊕ B_n₋₁, A_n = B_n₋₁ ⊕ A.

Revealing: A′ = A₁ ⊕ A₂ ⊕ ⋯ ⊕ A_n.

Theorem 11 [23] A₁ ⊕ A₂ ⊕⋯⊕ A_n = A.

Proof Because the ”⊕” operation is associative and B_i ⊕ B_i is a zero matrix for any i, we have

A' = B 1 \oplus (B 1 \oplus B 2) \oplus \dots \oplus (B n - 2 \oplus B n - 1) \oplus (B n - 1 \oplus A) = (B 1 \oplus B 1) \oplus \dots \oplus (B n - 1 \oplus B n - 1) \oplus A = A .

$\begin{array}{l} A^{'} = B_{1} \oplus (B_{1} \oplus B_{2}) \oplus \dots \oplus (B_{n - 2} \oplus B_{n - 1}) \oplus (B_{n - 1} \oplus A) \\ = (B_{1} \oplus B_{1}) \oplus \dots \oplus (B_{n - 1} \oplus B_{n - 1}) \oplus A \\ = A . \end{array}$

Theorem 12 [23] A_i₁ ⊕A_i₂ ⊕⋯⊕A_ik ≠ A for any set of integers {i₁,⋯,i_k} when k < n.

Proof We consider two cases. Case 1 is for n ∈ {i₁,⋯ i_k} and Case 2 is for n ∉ {i_ı,⋯, i_k}.

Case 1: n ∈ {i₁,⋯,i_k}. In this case, An ⊕(⊕ tj=sAj)=A ⊕Bn−1⊕(⊕ tj=sAj) $A_{n} \oplus (\oplus_{j = s}^{t} A_{j}) = A \oplus B_{n - 1} \oplus (\oplus_{j = s}^{t} A_{j})$ where ⊕ tj=s $\oplus_{j = s}^{t}$ means A_s ⊕ ⋯⊕ A_t with s,⋯,t being the indices in 1,⋯, i_k} besides n. Since there are an odd number of n − 2 term random matrices involved, at least one of them cannot be absorbed into a zero matrix, thus Ai1 ⊕Ai2⊕⋯⊕Aik $A_{i_{1}} \oplus A_{i_{2}} \oplus \dots \oplus A_{i_{k}}$ must be random, thus not equal to A.

Case 2: n ∉ {i₁,⋯, i_k}. Since no matrix A involved in Ai1 ⊕Ai2⊕⋯⊕Aik $A_{i_{1}} \oplus A_{i_{2}} \oplus \dots \oplus A_{i_{k}}$ to begin with, Ai1 ⊕Ai2⊕⋯⊕Aik $A_{i_{1}} \oplus A_{i_{2}} \oplus \dots \oplus A_{i_{k}}$ is constructed from the n − 1 term random matrices only and it must be random.

Next, we analyze the steps of Wang et al.’s [23] (n,n) algorithm in the context of the grayscale image below. It is trivially applicable to a binary image and can be easily extended to a color image. Now we give an example to demonstrate the computation steps in the construction/revealing process using the above algorithm.

Example 6 Let n = 3 and the secret image A be a single pixel.

Input: A = (240)₁₀ = (1111 0000)₂

Construction:

Step 1:

B_ı = (125)₁₀ = (0111 1101)₂,

B₂ = (10)₁₀ = (0001 0010)₂

Step 2:

A_ı = B_ı = (125)₁₀ = (0111 1101)₂,

A₂ = B₁ ⊕ B₂ = (0110 1111)₂,

A₃ = B₂ ⊕ A = (1110 0010)₂

Revealing: A′ = A₁ ⊕ A₂ ⊕ A₃ = (1111 0000)₂ = (240)₁₀.

From the above algorithm, it is known that the proposed (n, n) scheme reconstructs the secret image exactly and when fewer than n shadows are used, the original secret image A will not be revealed. Moreover, only simple Boolean XOR operations are used and the size of each shadow image is the same as the original image, thus no pixel expansion. The above (n, n) secret sharing scheme was applied to deal with gray scale and color secret images respectively in Reference [22].

6.5.3 (k, n) Scheme

Based on above Wang et al.’s [23] (n, n) secret sharing scheme [23], Chao and Lin [5] have attempted to construct a (k, n) secret sharing scheme. To design a threshold (k, n) scheme, one may first directly utilize Wang et al.’s [23] (m, m) scheme for some carefully chosen parameter m=(nk−1) $m = (\begin{matrix} n \\ k - 1 \end{matrix})$ . The (k, n, m) shadows-assignment matrix has n rows and m columns. Its n rows represent n persons; and its m columns represent the m (distinct) temporary shadows produced by the above (m, m) scheme. The element of H is either 0 or 1. The i-th person (row) has a copy of the j-th shadow image (column) if and only if H_ij. Each column of H have exactly k − 1 zeros and n − k + 1 ones.

Now we will introduce Chao et al.’s (k, n)-VC scheme based on the (k, n, m) shadows assignment matrix H.

Chao and Lin [5] algorithm for (k,n) scheme

Input: the secret image A

Output: the final shadow S_i

Construction:

Step 1: Generate a random image B₁ with the same size as A.

Step 2: Generate another image B₂ using B₂ = B₁ ⊕ A.

Step 3: Construct a n × m shadows-assignment matrix H, each column of H have exactly k − 1 zeros and n − k + 1 ones, so m=(nk−1) $m = (\begin{matrix} n \\ k - 1 \end{matrix})$ .

Step 4: Partition B₁ and B₂ into m nonoverlapping blocks C₁₁, C₂₁, ⋯ ,C_m₁ and C₁₂, C₂₂, ⋯, C_m₂.

Step 5: Let C* = C₁₁ ⊕ C₂₁ ⊕ ⋯ ⊕ C_m₁. Compute C_i₃ = C_i₂ ⊕ C*.

Step 6: Construct m temporary shadows C₁, C₂, ⋯ , C_m, where the upper half of each C_i is the block C_i₁ and the lower half of each C_i is the block C_i₃.

Step 7: Assign the duplicated copies of the m temporary shadows C₁, C₂, ⋯ , C_m to the n persons according to the shadows-assignment matrix H. For each participant i, the final shadow S_i is exactly the union of those copies assigned to him.

Revealing:

Step 1: k participants using their shares Si1,⋯,Sik $S_{i_{1}}, \dots, S_{i_{k}}$ to reconstruct the secret image. Referring to H, all m temporary shadows C₁, C₂, ⋯ , C_m can be extracted from these k final shadows.

Step 2: The upper half of each C_i is the block C_i₁ and the lower half of each C_i is the block C_i₃. So we get all C₁₁, C₂₁,⋯, C_m₁ and C₁₃, C₂₃, ⋯, C_m₃.

Step 3: Compute C* = C₁₁ ⊕ C₂₁ ⊕⋯⊕ C_m₁, then C_i₂ = C_i₃ ⊕ C*.

Step 4: Recombination C₁₁, C₂₁,⋯, C_m₁ and C₁₂, C₂₂, ⋯ , C_m₂ into B₁ and B₂.

Step 5: Reveal the secret image A′ by A′ = B₁ ⊕ B₂.

Let the size of secret image A be N_R × N_C. Since the size of every temporary shadow C_i(1 ≤ i ≤ m) is 2 × (N_R × N_C)/m, the size of every final shadow Si(1≤i≤n) is [2×(NR×NC)m]×(n−1k−1)=2(NR×NC)(n−k+1)n $S_{i} (1 \leq i \leq n) is [\frac{2 \times (N_{R} \times N_{C})}{m}] \times (\begin{matrix} n - 1 \\ k - 1 \end{matrix}) = \frac{2 (N_{R} \times N_{C}) (n - k + 1)}{n}$ . Notice that each final shadow S_i(1 ≤ i ≤ n) contains (n−1k−1) $(\begin{matrix} n - 1 \\ k - 1 \end{matrix})$ temporary shadows. After we divide by the size of secret image A, we obtain the pixel expansion rate per=2×n−k+1n<2 $p e r = 2 \times \frac{n - k + 1}{n} < 2$ . Each shadow will be at most two times larger than secret image A.

Next, we will give an example to analyze the steps of Chao and Lin [5] (k, n) algorithm scheme.

Example 7 Let k = 3, n = 4, and a grayscale secret image A=[23518845103239234] $A = [\begin{matrix} 235 & 45 & 239 \\ 188 & 103 & 234 \end{matrix}]$ .

Input: the secret image A=[23518845103239234] $A = [\begin{matrix} 235 & 45 & 239 \\ 188 & 103 & 234 \end{matrix}]$

Output: the final shadows S₁, S₂, S₃, S₄

Construction:

Step 1: Generate random image B1=[10522814902082] $B_{1} = [\begin{matrix} 105 & 14 & 208 \\ 228 & 90 & 2 \end{matrix}]$

Step 2: Generate B2=B1⊕A=[10522814902082]⊕[23518845103239234]=[13088356163232] $B_{2} = B_{1} \oplus A = [\begin{matrix} 105 & 14 & 208 \\ 228 & 90 & 2 \end{matrix}] \oplus [\begin{matrix} 235 & 45 & 239 \\ 188 & 103 & 234 \end{matrix}] = [\begin{matrix} 130 & 35 & 63 \\ 88 & 61 & 232 \end{matrix}]$

Step 3: m=(nk−1)=(42) $m = (\begin{matrix} n \\ k - 1 \end{matrix}) = (\begin{matrix} 4 \\ 2 \end{matrix})$ . Construct a 4 × 6 shadows-assignment matrix H, each column of H have exactly 2 zeros and 2 ones, so

H = ⎛ ⎝ ⎜ ⎜ ⎜ 001101010110100110101100 ⎞ ⎠ ⎟ ⎟ ⎟

$H = (\begin{array}{l} 0 & 0 & 0 & 1 & 1 & 1 \\ 0 & 1 & 1 & 0 & 0 & 1 \\ 1 & 0 & 1 & 0 & 1 & 0 \\ 1 & 1 & 0 & 1 & 0 & 0 \end{array})$

Step 4: Partition B₁ into 6 nonoverlapping blocks C₁₁ = 105, C₂₁ = 14, C₃₁ = 208, C₄₁ = 228, C₅₁ = 90, C₆₁ = 2, Partition into 6 nonoverlapping blocks C₁₂ = 130, C₂₂ = 35, C₃₂ = 63, C₄₂ = 88, C₅₂ = 61, C₆₂ = 232.

Step 5: C* = C₁₁ ⊕ C₂₁ ⊕ ⋯ ⊕ C₆₁ = 105 ⊕ 14 ⊕ 208 ⊕ 228 ⊕ 90 ⊕ 2 = 11. Compute C₁₃ = C₁₂ ⊕ C* = 130 ⊕ 11 = 137, similarly C₂₃ = 40, C₃₃ = 52, C₄₃ = 83, C₅₃ = 54, C₆₃ = 227.

Step 6: Construct 6 temporary shadows C1=[105137],C2=[1440],C3=[208137],C4=[22883],C5=[9054],C6=[2227] $C_{1} = [\begin{matrix} 105 \\ 137 \end{matrix}], C_{2} = [\begin{matrix} 14 \\ 40 \end{matrix}], C_{3} = [\begin{matrix} 208 \\ 137 \end{matrix}], C_{4} = [\begin{matrix} 228 \\ 83 \end{matrix}], C_{5} = [\begin{matrix} 90 \\ 54 \end{matrix}], C_{6} = [\begin{matrix} 2 \\ 227 \end{matrix}]$ where the upper half of each C_i is the block C_i₁ and the lower half is the block C_į₃.

Step 7: According to the shadows-assignment matrix H, assign C₄, C₅, C₆ → S₁, C₂, C₃, C₆ → S₂, C₁, C₃, C₅ → S₃, C₁, C₂, C₄ → S₄.

Revealing:

Step 1: Suppose 3 participants using their shares S₁, S₂, S₃ to reconstruct the secret image. Referring to H, all 6 temporary shadows C1=[105137],C2=[1440],C3=[208137],C4=[22883],C5=[9054],C6=[2227] $C_{1} = [\begin{matrix} 105 \\ 137 \end{matrix}], C_{2} = [\begin{matrix} 14 \\ 40 \end{matrix}], C_{3} = [\begin{matrix} 208 \\ 137 \end{matrix}], C_{4} = [\begin{matrix} 228 \\ 83 \end{matrix}], C_{5} = [\begin{matrix} 90 \\ 54 \end{matrix}], C_{6} = [\begin{matrix} 2 \\ 227 \end{matrix}]$ , can be extracted from S₁, S₂, S₃.

Step 2: The upper half of each C_i is the block C_i₁ and the lower half of each C_i is the block C_i₃. So we get all C₁₁ = 105, C₂₁ = 14, C₂₁ = 14, C₃₁ = 208, C₄₁ = 228, C₅₁ = 90, C₆₁ = 2 and C₁₃ = 137, C₂₃ = 40, C₃₃ = 52, C₄₃ = 83, C₅₃ = 54, C₆₃ = 227.

Step 3: Compute C* = C₁₁⊕C₂₁ ⊕⋯⊕C₆₁ = 105⊕14⊕208⊕228⊕90⊕2 = 11, then C₁₂ = C₁₃ ⊕ C* = 137 ⊕ 11 = 130. Similarly, C₂₂ = 35, C₃₂ = 63, C₄₂ = 88, C₅₂ = 61, C₆₂ = 232.

Step 4: B1=[C11C41C21C51C31C61]=[10522814902082]andB2=[C12C42C22C52C32C62]=[13088356163232]. $\begin{matrix} B_{1} & = & [\begin{matrix} C_{11} & C_{21} & C_{31} \\ C_{41} & C_{51} & C_{61} \end{matrix}] & = & [\begin{matrix} 105 & 14 & 208 \\ 228 & 90 & 2 \end{matrix}] & and & B_{2} & = & [\begin{matrix} C_{12} & C_{22} & C_{32} \\ C_{42} & C_{52} & C_{62} \end{matrix}] & = & [\begin{matrix} 130 & 35 & 63 \\ 88 & 61 & 232 \end{matrix}] . \end{matrix}$

Step 5: Reveal the secret image

A' = B 1 \oplus B 2 = [10522814902082] \oplus [13088356163232] = [23518845103239234] .

$A^{'} = B_{1} \oplus B_{2} = [\begin{matrix} 105 & 14 & 208 \\ 228 & 90 & 2 \end{matrix}] \oplus [\begin{matrix} 130 & 35 & 63 \\ 88 & 61 & 232 \end{matrix}] = [\begin{matrix} 235 & 45 & 239 \\ 188 & 103 & 234 \end{matrix}] .$

6.6 Conclusion

XOR-based visual cryptography schemes use XOR operation to decrypt the secret These schemes have higher contrast compared with OR-based visual cryptography. This chapter introduced three types of different XOR-based visual cryptography schemes. The three type schemes have their virtues respectively. We also notice there is XOR-based audio cryptography, which uses music to embed message and relies on the human auditory system to decrypt secret messages. It is a very interesting topic, however we do not cover audio cryptography schemes because the topic in this chapter is limited to image, and readers can see more details in Reference [8].

Acknowledgments

The research work related to this chapter was supported by the National Natural Science Foundation of China under Grant No. 60873249, 863 Project of China under Grant 2008AA01Z419.

Bibliography

[1] G. Ateniese, C. Blundo, and A. D. Santis. Visual cryptography for general access structures. In Information and Computation, volume 129, pages 86–106, 1996.

[2] E. Biham and A. Itzkovitz. Visual cryptography with polarization. In The Dagstuhl Seminar on Cryptography, September 1997, and in the RUMP session of CRYPTO’98, 1997.

[3] C. C. Chang, C. C. Lin, T. H. N. Le, and H. B. Le. A new probabilistic visual secret sharing scheme for color images. In 4th International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pages 1305–1308, 2008.

[4] C. C. Chang, C. C. Lin, T. H. N. Le, and H. B. Le. A probabilistic visual secret sharing scheme for grayscale images with voting strategy. In Proceedings of the International Symposium on Electronic Commerce and Security, pages 184–188, 2008.

[5] K. Y. Chao and J. C. Lin. Secret image sharing: A Boolean-operations-based approach combining benefits of polynomial-based and fast approaches. International Journal of Pattern Recognition and Artificial Intelligence, 23((2):263–285, 2009.

[6] S. Cimato, R. De Prisco, and A. De Santis. Probabilistic visual cryptography schemes. Computer Journal, 49((1):97–107, 2006.

[7] S. Cimato, A. De Santis, A. L. Ferrara, and B. Masucci. Ideal contrast visual cryptography schemes with reversing. Information Processing Letters, 93((4):199–206, 2005.

[8] Y. Desmedt, S. Hou, and J. J. Quisquater. Audio and optical cryptography. In ASIACRYPT ’98, Lecture Notes in Computer Science, volume 1514, pages 392–404, 1998.

[9] S. Droste. New results on visual cryptography. In Advances in Cryptology-CRYPTO ’96, Lecture Notes in Computer Science, volume 1109, pages 401–415, 1996.

[10] C. M. Hu and W. G. Tzeng. Compatible ideal contrast visual cryptography schemes with reversing. Information Security, 3650:300–313, 2005.

[11] R. Ito, H. Kuwakado, and H. Tanaka. Image size invariant visual cryptography. IEICE Trans. Fundamentals, E82-A(10):2172–2177, 1999.

[12] S. S. Lee, J. C. Na, S. W. Sohn, C. Park, D. H. Seo, and S. J. Kim. Visual cryptography based on an interferometric encryption technique. ETRI Journal, 24((5):373–380, 2002.

[13] F. Liu, C. K. Wu, and X. J. Lin. Colour visual cryptography schemes. IET Information Security, 2((4):151–165, 2008.

[14] F. Liu, C. K. Wu, and X. J. Lin. Some extensions on threshold visual cryptography schemes. Computer Journal, 53:107–119, 2010.

[15] F. Liu, C. K. Wu, and X. J. Lin. Step construction of visual cryptography schemes. In IEEE Transactions on Information Forensics and Security, volume 5, pages 27–28, 2010.

[16] M. Naor and A. Shamir. Visual cryptography. In Visual Cryptography, Proceedings of Eurocrypto ’94, Lecture Note in Computer Science, volume 950, pages 1–12, 1995.

[17] P. Tuyls, H. D. L. Hollmann, J. H. V. Lint, and L. Tolhuizen. Xor-based visual cryptography schemes. Designs Codes and Cryptography, 37:169–186, 2005.

[18] P. Tuyls, H.D.L. Hollmann, H.H.V. Lint, and L. Tolhuizen. A polarisation based visual crypto system and its secret sharing schemes. http://eprint.iacr.org, 2002.

[19] M. Ulutas, V. V. Nabiyev, and G. Ulutas. A PVSS scheme based on Boolean operations with improved contrast. In 2009 International Conference on Network and Service Security, pages 1–5, 2009.

[20] E. R. Verheul and H. C. A. van Tilborg. Constructions and properties of k-out-of-n visual secret sharing schemes. Designs, Codes and Cryptography, 11:179–196, 1997.

[21] D. Q. Viet and K. Kurosawa. Almost ideal contrast visual cryptography with reversing. In Proceeding of Topics in Cryptology-CT-RSA2004, Lecture Notes in Computer Science, volume 2964, pages 353–365, 2004.

[22] D. S. Wang, X. Li, and F. Yi. Probabilistic (n,n) visual sharing scheme for grayscale images. In SKLOIS Conference on Information Security and Cryptology, Inscrypt 2007, Lecture Notes in Computer Science, volume 4990, pages 192–200, 2008.

[23] D. S. Wang, L. Zhang, N. Ma, and X. Li. Two secret sharing schemes based on Boolean operations. Pattern Recognition, 40:2776–2785, 2007.

[24] C. N. Yang. New visual secret sharing schemes using probabilistic method. Pattern Recognition Letters, 25:481–494, 2004.

[25] C. N. Yang, C. C. Wang, and T. S. Chen. Real perfect contrast visual secret schemes with reversing. In Lecture Notes in Computer Science, volume 3989, pages 433–447, 2006.

[26] C. N. Yang, C. C. Wang, and T. S. Chen. Visual cryptography schemes with reversing. Computer Journal, 51((6):710–722, 2008.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for
6 XOR-Based Visual Cryptography

6

XOR-Based Visual Cryptography

CONTENTS

6.1 Introduction

6.2 Preliminaries

6.3 Visual Cryptography Scheme Using the Polarization of Light

6.3.1 (2, n) Scheme

6.3.2 (n, n) Scheme

6.3.3 (k, n) Scheme

6.4 Visual Cryptography Scheme with Reversing

6.4.1 (k, n) VC Scheme Using Cyclic-Shift Operation

6.4.2 A Scheme for General Access Structure

6.5 Secret Sharing Scheme Using Boolean Operation

6.5.1 (2, n) Scheme

6.5.2 (n, n) Scheme

6.5.3 (k, n) Scheme

6.6 Conclusion

Acknowledgments

Bibliography

Table of Contents for 6 XOR-Based Visual Cryptography

Create new playlist

Sign In

Sign Up

CONTENTS

Acknowledgments

Table of Contents for
6 XOR-Based Visual Cryptography