10.2.1 Visual Cryptography

A visual secret sharing scheme is a special variant of a k-out-of-n secret sharing scheme where the shares given to participants are xeroxed onto transparencies. Therefore, a share is also called a transparency. If X is a qualified subset, then the participants in X can visually recover the secret image by stacking their transparencies without performing any cryptographic computation. Usually, the secret is an image. To create the transparencies, each black and white pixel of the secret image is handled separately. It appears as a collection of m black and white subpixels in each of the n transparencies. We will call these m subpixels a block. Therefore, a pixel of the secret image corresponds to nm subpixels. We can describe the nm subpixels by an n × m Boolean matrix, called a base matrix, S = [S_ij] such that S_ij = 1 if and only if the j^th subpixel of the i^th share is black and S_ij = 0 if and only if the j^th subpixel of the i^th share is white. The gray level of the stack of k shared blocks is determined by the Hamming weight H(V) of the “OR”ed m-vector V of the corresponding k rows in S. This gray level is interpreted by the visual system of the users as black if H (V) ≥ d and as white if H (V) ≤ d − α * m for some fixed threshold d and relative difference α. We would like m to be as small as possible and α to be as large as possible.

More formally, a solution to the k-out-of-n VC consists of two collections C⁰ and C¹ of n × m base matrices. To share a white pixel, the dealer randomly chooses one of the matrices from C⁰, and to share a black pixel, the dealer randomly chooses one of the matrices from C¹. The chosen matrix determines the m subpixels in each one of the n transparencies. Figure 10.1 shows the basic concept of visual cryptography.

Definition 1 A solution to the k-out-of-n VC consists of two collections C⁰ and C¹ of n × m base matrices. The solution is considered valid if the following conditions are met:

Contrast conditions:

1. For any matrix S⁰ in C⁰, the “or” V of any k of the n rows satisfies H(V) ≤ d − a * m.

2. For any matrix S¹ in C¹, the “or” V of any k of the n rows satisfies H(V) ≥ d.

Security condition:

3. For any subset {i₁, i₂, …, i_q} of {1, 2,…, n} with q < k, the two collections D⁰, D¹ of q × m matrices obtained by restricting each n × m matrix in C⁰, C¹ to rows i₁,i₂,K,i_q are indistinguishable in the sense that they contain the same matrices with the same frequencies.

Figure 10.2 shows the basic concept of a 2-out-of-2 visual secret sharing scheme. The secret image is shared through two noise-like transparencies: T₁ and T₂. In this case, a block consists of 4 subpixels. Each black(white) pixel of the secret image is turned into two black and two white subpixels of T₁ and T₂. Figure 10.3 shows an example of a 2-out-of-3 visual secret sharing scheme.

10.2.2 Cheating in VC

In [8], Horng et al. showed that cheating is possible in k-out-of-n VC. Let’s take the 2-out-of-3 visual secret sharing scheme shown in Figure 10.3 as an example. A secret image is encoded into three distinct transparencies, denoted T₁, T₂, and T₃. Then, the three transparencies are respectively delivered to Alice, Bob, and Carol. Without loss of generality, Bob and Carol are assumed to be collusive cheaters and Alice is the victim. During the cheating activity, Bob and Carol use S₂ and S₃ to create forged transparency S′2 such that superimposing S′2 and S₃ will visually recover the cheating image as in Figure 10.4. Precisely, by observing the following collections of 3 × 3 matrices that are used to generate transparencies, collusive cheaters can predict the actual structure of the victim’s transparency so as to create S′2.

By observing the above matrices, two rows of above C⁰ or C¹ matrix are determined by collusive cheaters. Therefore, the structure of the corresponding block of S₁ is exact the remaining row. For presenting a white pixel of cheating image, the block of S′2 is set to be the same structure of S₁. For presenting a black pixel of cheating image, the block of S′2 is set to be the different structure of S₁. For example, if the block of S₁ is [010], then S′2 is set to be [010] for a white pixel or it is set to be [001] for a black pixel.

We note that if the forged shares deviate too much from the original shares then the victim will notice the difference and suspect being cheated. Therefore, a necessary condition for a cheating activity to be successful is that the forged shares must be indistinguishable from the original shares. There are different cheating activities defined in [15].

10.3.1 HCT1 and HCT2

In [8], two cheating prevention schemes are proposed: the Authentication Based Cheating Prevention scheme, referred to as HCT1, and the 2-out-of-(n + l) cheating prevention scheme, referred to as HCT2. HCT1, shown in Figure 10.5, is a share-authentication-based cheating prevention scheme and HCT2, shown in Figure 10.7, is a blind-authentication-based cheating prevention scheme. Figure 10.6 shows an experiment of HCT1. In HCT1, each participant uses an extra transparency to verify the integrity of other transparencies by means of the appearance of the verification logo. A participant adopts a verification transparency to verify the integrity of other transparencies through the appearance of his own verification logo. Each verification transparency is generated by a 2-out-of-2 VC. Therefore, each participant receives two transparencies, namely, secret share transparency and verification transparency created by the 2-out-of-n and 2-out-of-2 VC, respectively. Figure 10.6 shows an experiment of HCT1.

HCT2 generates (n+l) transparencies but it only delivers n transparencies to participants. The probability that cheaters can correctly guess the structure of each block generated for a black pixel of the victim’s transparency is down to 1/(1 + l). The secret image is redesigned to consist of two complementary parts. Two binary images are said to be complementary to each other if and only if they have the same size and, for all corresponding pixels, one is black and the other is white. Therefore, the probability that cheaters can correctly guess the structure of victim’s transparency is negligible. The idea can be extended to design a k-out-of-(n + l) cheating prevention scheme.

10.3.2 HT

The core of HT, shown in Figure 10.8, uses a generic transformation to create new transparencies by adding two subpixels to every block of every original transparency. Then, HT creates a verification transparency for each participant such that the stacking result of the new transparency with the verification transparency will reveal a verification image. Therefore, HT is a share-authentication-based cheating prevention scheme. Basically, HT will perform the following steps with input C⁰ and C¹ to create verification transparencies

1. Let T0=[10⋮10|C0] and T1=[10⋮10|C1]

2. Use T⁰ and T¹ as the base matrices for creating transparencies

3. For each participant P_i, choose a verification image and create a verification transparency v_i as follows:

   

   FIGURE 290.10
   HT.

   1. For each white pixel in the verification image, the block of v_i created based on [1 0 0 … 0] (after corresponding permutation as for generating the secret shares in step 2).

   2. b For each black pixel in the verification image, the block of v_i created based on [0 1 0 … 0] (after corresponding permutation as for generating the secret shares in step 2).

In the decoding phase of the secret image, before stacking transparencies, each P_i checks the stacking result of v_i with T_j held by participant P_j revealing his own verification image. Figure 10.9 shows an example of an HT scheme.

10.3.3 TCH

In [18], Tsai et al. proposed a cheating prevention scheme, shown in Figure 10.10, images where shares are generated by Genetic Algorithms. TCH adopts multiple secret images with the same visual meaning. Each qualified subset only reveals the corresponding reconstructed secret image and the others are left unknown to potential cheaters. Any participant accepts the decoding result only if the visually reconstructed secret image is authentic. In TCH, the fitness function of the Generic Algorithm was designed according to a 2-out-of-n visual secret sharing scheme. But, it is not guaranteed that the same quality is obtained because the Generic Algorithm is a kind of heuristic algorithm. Therefore, the dealer should control the quality of all reconstructed secret images before delivering all transparencies. That is, all transparencies should be indistinguishable.

10.3.4 PS1 and PS2

In 2009, De Prisco and De Santis [20] proposed 2-out-of-n and n-out-of-n cheating prevention schemes, as shown in Figure 10.11. They are obtained by simply adding an extra column with all 0s to the base matrices of the schemes of Naor and Shamir.

In the following, we describe another 2-out-of-n cheating prevention scheme, as shown in Figure 10.12 and proposed in the same paper. This scheme does not require the use of a complementary image. The base matrices of the scheme have dimension n × (2ⁿ + n +1). The white base matrix C⁰ has the following columns: all the possible 2ⁿ binary column vectors of length n, one additional column with all 1s and n additional columns with all 0s. Whereas, the black base matrix C¹ has the following columns: all the possible 2ⁿ binary column-vectors of length n, one additional column with all 0s in the n columns of the identity matrix of dimension n × n.

The base matrices of a 2-out-of-3 PS2 scheme are shown as follows:

We refer the readers to [20] for more details.