16.2.1 Lin and Tsai’s Scheme

Lin-Tsai’s scheme is a (k, n)-threshold polynomial-based scheme that combines steganography and authentication to enable the sharing of secret images [15]. Their scheme uses parity check to achieve authentication, and each pixel in a secret image is used to produce n shared pixels for n participants by using the polynomial function in Equation 16.1.

Later, both the parity check bits and the shared pixels are embedded into the corresponding four-pixel blocks in the cover image. For simplicity, assume that I_ij is the ij-th pixel in the secret image and Bij1,Bij2,…,Bijn are the n cover blocks in the cover image, where Bijk is the block with position (i, j) in the k-th cover for 1 ≤ k ≤ n, which contains four pixels, Yijk,Vijk,Wijk, and Zijk, as shown in Figure 16.1.

Here, the binary representations of the pixels Yijk,Vijk,Wijk and Zijk, are (y₁ y₂ …y₈), (v₁ v₂ …v₈), (w₁ w₂…w₈) and (z₁ z₂…z₈), respectively. The steps in this scheme are as follows.

Step 1: Set the modulus p used in the polynomial in 16.1 to 251. If the pixel I_ij ≥ 250, it is directly truncated to 250. Apparently, this operation can distort the secret image.

Step 2: Take the pixel I_ij· as the coefficient c₀ and choose k − 1 integers as other coefficients c₁, c₂,…,c_k−1 randomly to construct a polynomial in Equation 16.1. Then takes the pixel value Yijk for 1 ≤ k ≤ n as the input x of the polynomial to compute the shared pixel F(Yijk)=Sijk=(s1s2…s8), where (s₁ s₂…s₈) means eight bits of the shared pixel Sijk.

Step 3: Embed the shared pixel Sijk into the block Bijk by replacing the eight bits v₇ v₈, w₆ w₇ w₈ and z₆ z₇ z₈ with s₁ s₂…s₈ as shown in Figure 16.2.

Step 4: Generate a check bit b according to parity check policy to achieve the authentication capability shown in Figure 16.2.

Unfortunately, in Lin-Tsai’s scheme, the parity bit of the upper-right pixel shown in Figure 16.2 is chosen to make this pixel an even or odd parity as a binary parity sequence. Dishonest participants can derive the parity information from their own stego-images, and thus can easily and maliciously counterfeit a stego-image. For instance, assume that the upper-right pixel V¯ijk=(11011111). A dishonest participant can modify it to (11011 010), which still meets the odd parity, but the 8-bit input of (k-1)-degree polynomial becomes changed. Thus, it successfully passes authentication but the (k-1)-degree polynomial cannot be obtained. In addition, the dishonest participant can also modify three other pixels, Y¯ijk,W¯ijk, and Z¯ijk, to change the input and output of (k-1)-degree polynomial without influencing the upper-right pixel V¯ijk, thus passing authentication. Therefore, their scheme has a weak authentication process, which may allow a fake stego-image to pass the authentication check quite easily.

16.2.2 Yang et al.’s Scheme

To overcome the weaknesses in Lin-Tsai’s scheme, Yang et al. [28] proposed an improved version in 2007. In Yang et al.’s scheme, the modulus value p is set to the Galois Field GF(2⁸), that is, p = g(x) = x⁸ + x⁴ + x³ + x¹ + x⁰. This approach allows the acquisition of a secret image without distortion.

In Yang et al’s scheme, let the pixel I_ij of the secret image be used to produce the n shared pixels Sij1,Sij2,…,Sijn, to be embedded into the cover blocks Cij1,Cij2,…,Sijn, where each cover block is represented as Cijk={Vijk,Yijk,Zijk,Uijk} for 1 ≤ k ≤ n as shown in Figure 16.3. Pixel I_ij of the secret image is first embedded into the coefficient c₀ to construct a polynomial as shown in Equation 16.1. Next, the shared pixel Sijk is computed by taking the pixel value Vijk of the corresponding cover image block Cijk as the input x of the polynomial shown in Equation 16.1. Let the binary representation of the shared pixel Sijk be (s₁ s₂…s₈). Hence, the shared pixel Sijk is embedded into its corresponding cover image block Cijk by replacing the eight bits v₁ v₀ y₁ y₀ z₁ z₀ u₁ u₀ with s₁ s₂ …s₈, and at the same time, the bits z₃ z₂ of pixel Zijk are replaced by v₁v₀ of pixel Vijk in order to keep the complete pixel value Vijk for recovering the corresponding secret pixel as shown in Figure 16.4.

However, Yang et al.’s scheme cannot avoid the fact that four least significant bits (LSBs) of the pixel value Zijk in each block must be modified. Such modification may make the stego-images different from the cover images visually and the risk of being observed by attackers is increased.

To further improve Lin-Tsai’s authentication ability, Yang et al. used the hash-based message authentication code (HMAC) in Equation 16.2.

where id is the block ID; Cijk is 31 bits except the check bit b; H( ) and k denote a one-way hash function and the secret key, respectively. Next, as shown in Equation 16.3, the 160-bit HMAC output and executes the XOR operation to obtain the authentication bit b.

However, the average probability of detecting any malicious modification is just 50% because of the characteristic of the parity check itself. In other words, the fake stego-images still have a very high probability of being authenticated successfully.

16.2.3 Chang et al.’s Scheme

In 2008, Chang et al. proposed an enhanced secret sharing scheme based on Lin-Tsai’s scheme and Yang et al.’s scheme. They used the concept of Thien and Lin’s secret image sharing [23] to ensure that no distortion is introduced into the secret image and applied the concept of the Chinese Remainder Theorem (CRT) to improve authentication ability. As a result, their scheme can achieve high authentication ability. The flowchart of Chang et al.’s scheme [9] is shown in Figure 16.5.

Four check bits p₁, p₂, p₃, p₄ can be calculated and embedded into the stego-block (shown in Figure 16.5). The details are shown in the steps below.

Step 1: The residues set of the block C¯ijk in Figure 16.6 is determined.

Rij,1k=(x7x6x5x4x3s1s2);

Rij,2k=(v7v6v5v4s3s4);

Rij,3k=(w7w6w5w4w3s5s6);

Rij,4k=(z7z6z5z4z3s7s8);

Rij,5k=i;;

Rij,6k=j..

Step 2: Decide six moduli that are pairwise relatively prime Mij,1k,Mij,2k,Mij,3k,…, and Mij,6k, where each modulus Mij,ak, for 1 ≤ a ≤ 6, is the prime number greater than Rij,ak.

Step 3: Calculate the Yijk integer by Equation 16.4. Suppose that the binary representation of the Yijk is (y₁y₂…y_e). Note that the number of binary bits of Yijk has to be a multiple of 4.

Step 4: Four interim authentication bits a₁, a₂, a₃, and a₄ are computed by Equation 16.5.

Step 5: Denote b₁, b₂, b₃, and b₄ as the current four watermark bits; four check bits p₁, p₂, p₃, and p₄ can be computed by Equation 16.6.

Step 6: Replace the four LSBs x₀v₀w₀z₀ with the computed check bits p₁ p₂ p₃ p₄ as presented in Figure 16.6.

16.3.1 Error Diffusion Technique

The error diffusion technique is typically used to convert a multiple-level color image into a two-level color image. There are many kinds of idiographic error diffusion strategies. The common concept behind diffusion is the diffusion of errors to neighboring pixels; in this way, no image luminance is lost. The diffused image generated based on an error diffusion strategy is called an error filter. Each error filter has a set of kernel weights. Assume that GI(x,y) is the value of a pixel in position (x,y) in a grayscale secret image. Figure 16.7 is a flowchart of the error diffusion technique.

In the proposed scheme, the Floyd and Steinberg error diffusion strategy is adopted and the kernel weights are Wr=716,Wb=516,Wbl=316,​​​Wbr=116,, as shown in Figure 16.8.

After the quantization procedure, a pixel GI(x,y) at position (x,y) in grayscale image GI becomes HI(x,y) and has a value of either 0 or 255. During the quantization procedure, a threshold TH is used to determine HI(x,y) according to Equation 16.7 and the quantization error is determined by Equation (5.8).

Next, error E(x,y) is diffused over four neighboring pixels, GI(x, y+1), GI(x +1, y-1), GI(x + 1, y), and GI(x + 1, y+1), according to Equation 16.9 and the kernel weights (denoted as W) of the error filter are shown in Figure 16.8.

where i, j ∈ {0,1}, W∈{116,316,516,716}·

Based on Figure 16.8 and Equation 16.9, we can see that when pixels are on the border of the grayscale image, special cases occur. The four kinds of pixels listed below should be considered in distinguishing these cases.

Case 1: The pixels located at (x, 1), where x =1, 2,…, H-1.

Case 2: The pixels located at (H, y), where y =1, 2,…, W-1.

Case 3: The pixels located at (x, W), where x =1, 2,…, H-1.

Case 4: The pixel located at (H, W).

The positions of all four kinds of pixels are represented in Figure 16.9, with the white squares showing the positions of the pixels located at the border of an image. To deal with these special cases, we adopt a special skill, called “excursion” in the procedure, as shown in Figure 16.10.

When applied to these pixels, Floyd and Steinberg’s error filter is slightly modified to ignore the nonexistent pixels because the number of these pixels is small compared with the total number of pixels in the whole image. To give a clearer explanation, the following paragraphs give one instance for each case.

At first, set E(1, 1) = 0. For case 1, the pixels at position (x, 1), where x = 1, 2,…, H-1 are considered. We take the pixel at position (1, 1) for example. The value of HI(1, 1) is determined by Equation 16.7. However, there is no pixel at position (2, 0) corresponding to GI(x+1, y-1). Thus, the neighboring pixels that accepted error diffusion are shown in Figure 16.11 for Case 1.

For Case 2, we take the pixel at position (H, 1) for example. The pixel at position (H, 1) is called GI(H, 1) and has an error value of E(H, 1). However, there are no pixels at positions (H+1, 0), (H+1, 1), and (H+1, 2) corresponding to GI(x+1, y-1), GI(x+1, y), and GI(x+1, y+1). Thus, the neighboring pixels that accepted error diffusion are shown in Figure 16.12 for Case 2.

For Case 3, we take the pixel at position (1, W) for example. There are no pixels at positions (1, W+1) and (2, W+1) corresponding to GI(x, y+1) and GI(x+1, y+1). Thus, the neighboring pixels that accepted error diffusion are shown in Figure 16.13 for Case 3.

And last, for Case 4, the pixel GI(H, W) at position (H, W), there are no pixels at positions (H, W+1), (H+1, W-1), (H+1, W), and (H+1, W+1) corresponding to GI(x, y+1), GI(x+1, y-1), GI(x+1, y), and GI(x+1, y+1). Thus, there are no neighboring pixels that accepted error diffusion for this case.

We next describe how to use the Floyd and Steinberg error diffusion strategy to transform a gray-scale image into a binary image. The detailed steps are set forth as follows:

Input: A gray-scale secret image GI sized H × W.

Output: A binary image HI sized H × W.

Step 1: Set a threshold TH = 127

Step 2: for i=1 H, j=1: W

Loop: if (i = 1) or i = H + 2)|(j = 1) or (j= W+2) → EGI(i,j) = 0; else EGI(i, j) = GI(i − 1,j − 1);

Step 3: for i = 2:H + 1, j = 2: W +1

Loop: if EGI(i, j) ≥ TH → EHI(i,j) = 255;

else EHI(i,j) = 0;

E(i,j) = EGI(i,j)-EHI(i,j);

EGI(i,j + 1) = EGI(i,j + 1) +E(i, j) × Wr; EGI(i + 1,j = EGI(i,j + 1) +E(i, j) × Wb;

EGI(i + 1,j + 1) = EGI(i + 1,j + 1) +E(i, j) × Wb;

EGI(i + 1,j - 1) = EGI(i + 1,j - 1) + E(i, j) × Wbl;

Step 4: for i = 1: H, j = 1:W

HI(i,j) = EHI(i + 1, j + 1).

16.3.2 Interpolation Technique

In computer computations, a discrete number system rather than a real number system is applied due to the limitations of machine representation. Therefore, a continuous signal must be sampled for computer storage and calculation. However, sampling is always destructive to the original information and new samples often must be reselected when the sampling scale is changed. Let us denote R as a real signal performed in the real number system as shown in Figure 16.14(a); denote D as the digital signal created by R, which is performed in the discrete number system shown in Figure 16.14 (b). The digital signal D′ shown in Figure 16.14(c) is generated by sampling digital signal D.

Figure 16.14 shows that the re-sampled signal D′ can be easily retrieved when the real signal R is always available. However, the original signal is usually discarded after receiving the digital signal D. As a result, the resampled signal D′ must be created from the former signal D. Interpolation is a classical solution for calculating the new samples from another digital signal. Take bilinear interpolation for example. A new sample in signal D′ is expected to be an average value of the two neighboring original samples in D. Assuming that (x, f(x)) and (y, f(y)) are two neighboring samples in D, we can calculate a new sample (z, f (z)) in D′ according to Equation 16.10.

16.3.3 Canny Edge Detector

Edge detection is a kind of commonly used technique in image processing. The areas in an image with strong intensity contrasting from one pixel to the next are called edges. The purpose of edge detection is filtering out useless information in an image and significantly reducing the amount of data, while preserving the important structural properties.

Since the pioneering work by Roberts in 1965 [19], a mass of schemes have been developed for detecting edges. The Canny edge detection algorithm is known to many as the optimal edge detector proposed by J. Canny in 1986 [12], which finds edges by looking for local maxima of the gradient of the input image. The gradient is calculated using the derivative of a Gaussian filter. The Canny edge detector contains several adjustable parameters, listed as follows, which can affect the computation time and effectiveness of the algorithm itself. The first parameter is the size of the Gaussian filter, the smoothing filter used in the first stage, which directly affects the results of the Canny detection algorithm. Generally, smaller filters cause less blurring, and allow detection of small, sharp lines. On the contrary, larger filters cause more blurring, smearing out the value of a given pixel over a larger area of the image. Two thresholds are the other parameters. Actually, a too high threshold may make missing important information. On the other hand, a threshold set too low will falsely identify irrelevant information as important. Therewith, the detection would be more likely to be fooled by noise. The Canny edge detection method uses two thresholds, to detect strong and weak edges, and includes the weak edges in the output only if they are connected to strong edges.

The Canny edge detector works in a multistage process. First of all, the image is smoothed by Gaussian convolution. Afterwards, to highlight regions of the image with high first spatial derivatives, a simple 2-D first derivative operator is applied to the smoothed image and edges give rise to ridges in the gradient magnitude image. Then, the algorithm tracks along the top of these ridges and sets to zero all pixels that are not actually on the ridge top so as to give a thin line in the output, a process known as nonmaximal suppression. The tracking process exhibits hysteresis controlled by two thresholds, denoted by T₁ and T₂, where T₁ > T₂. Tracking can only begin at a point on a ridge higher than T₁ and then continues in both directions out from that point until the height of the ridge falls below T₂ . The Canny edge detector is more likely to detect true weak edges and less likely than the others to be fooled by noise.

16.3.4 Edge Lookup Inverse Halftoning Technique

The inverse halftoning technique is used to reconstruct a gray-scale image from an input halftone image. Based on the lookup table (LUT) [10,16] technique, in 2005 Chung and Wu [11] proposed a new edge-based lookup table (LUT) scheme that improves the quality of the reconstructed grayscale image. In the following paragraphs we call Chung and Wu’s scheme ELUT for short. The ELUT scheme first applies the LUT-based inverse halftoning scheme as a preprocessing step to transform the input halftone image to a base grayscale image, and then the edges are extracted and classified from the base grayscale image. According to these classified edges, a novel edge-based LUT is built up to reconstruct the grayscale image, i.e., the ELUT scheme. Figure 16.15 is a flowchart of Chung and Wu’s ELUT scheme.

Input: A set of n training image pairs (GI_i, HI_i), where GI_i and HI_i are denoted as the i-th grayscale image and its corresponding halftone image, respectively.

Step 1: Generate the lookup table (LUT) by using the five substeps that follow. An array LUT[ ] is used to map the given halftone image to the corresponding grayscale image.

1. For initialization, i = 1, LUT[k] = 0, where 0 ≤ k ≤ 2¹⁶ − 1.

2. Divide images double HIi and GIi into overlapping 4 × 4 blocks and denote them as BH_ij and BG_ij. In other words, BH_ij and BG_ij are the j-th halftone block of halftone image HI_i and the j-th grayscale block of grayscale image GI_i, respectively.

3. Calculate index k for each halftone block BH_ij and update the value of the intermediate LUT[k] by using Equation 16.10. Here, BG_ij(3, 3) is a representative pixel for each grayscale block.

   {k=∑u=14∑v=142(v−1)+4×(u−1)×BHij(u,v)LUT[K]=LUT[K]+BGij(3,3),⁢(16.11)

4. i = i + 1. If i ≤ n, go to Step b. Otherwise, compute and archive the final LUT[]. N[k] is another array used to store the number of halftone blocks that obtain the same index value k.

5. For 0 ≤ k ≤ 2¹⁶ − 1, LUT[k]=LUT[k]N[k].

Step 2: Replace the element BH_ij(3, 3) in every block BH_ij by LUT[k], where k is the index value of block BH_ij calculated in Step c. When the replacement procedure is finished, retrieve the grayscale image with pixel values corresponding to LUT[k].

Step 3: After applying Step 2 to a set of n training images in succession, a set of reconstructed grayscale images called GI′i, i = 1, 2,…, n, can be retrieved. Adopt Canny’s edge detector to each reconstructed grayscale image GI′i to generate an edge map EM_i, for i =1, 2,…, n. Each edge map EM_i consists of a set of 4 × 4 blocks. Therefore, the j-th block of the edge map EM_i is denoted as BE_ij. By combining the lookup table LUT generation procedure described in Step 1 with a set of edge maps EM_i, an edge-based LUT, called an ELUT, is generated. Note that in this step, we call the edge map EM. The order of the edge pattern of the ij-th block is denoted as BE_ij. The index value for ij-th block is I_ij for 0 ≤ k ≤ 2¹⁶ − 1. Finally, the mean grayscale value can be derived from ELUT[I_ij, BE_ij], where 0 ≤ EM_ij ≤ 38 based on the number of edge patterns reported by Chung and Wu [11]. In Chung and Wu’s scheme, the value of GI′ij (3, 3) is determinate as Equation 16.12.

Step 4: Input a halftone image HI, which will be converted to the grayscale image GI′ . The detailed procedure is shown in Figure 16.16.

16.3.5 Shamir Scheme for Secret Sharing

The proposed scheme for secret image sharing is based on the (k,n)-threshold secret sharing scheme proposed by Shamir (1979) [20]. In this section we describe how to use the Shamir scheme to generate secret sharing. In the following steps we use the (k-1)-degree polynomial shown in Equation 16.16 to generate n shares for a group of n secret sharing participants from a secret integer value s for the threshold k.

where i = 1, 2,… , n.

Step 1: Select the number k, k ≤ n.

Step 2: Choose the (k-1) integers a₁, a₂, a_k-1 randomly.

Step 3: For the i-th secret sharing participant, choose a value of x_i freely, i = 1, 2,…, n. Note that all x_i must be distinct from one another.

Step 4: For each chosen x_i, compute the corresponding F(x_i) by using Equation 16.13.

Step 5: Deliver each pair of (x_i, F(x_i)) as a secret share to each participant.

In this secret sharing process, the values of a_i, i = 1, 2, … , k − 1, need not be kept after all secret shares are generated. As well as the secret value s, each αi can be recovered from the n secret shares in the secret recovery steps listed below.

Step 1: Collect at least k secret shares from the n ones to form a system of equations as shown in Equation 16.13. Note that the xi and F(x_i) in Equation 16.13 with i =1, 2, … , k can all be extracted from the k secret shares.

Step 2: Use a polynomial interpolation technique, e.g., Lagrange scheme, to solve s and a_i, i = 1, 2, … , k − 1. Reconstruct the (k − 1)-degree polynomial F(x) described by Equation 16.14.

Step 3: Compute the solution for the secret value s by Equation 16.15.

16.4.1 Sharing and Embedding Phase

A detailed algorithm for the sharing and embedding phase is described in this section.

Input: The secret grayscale image GI and cover image CI.

Output: Stego-image SI.

Step 1: Apply the error diffusion technique (EDT) to the grayscale image GI to retrieve a halftone image HI Obviously, the width and height of HI are W and H. Moreover, each pixel in halftone image HI contains only 1 bit.

Step 2: Divide halftone image HI into Z nonoverlapping 6-bit blocks, Z=⌊H×W6⌋. HI_z (z = 1,2,…,Z) is the z-th block of HI and the value of HI_z, is denoted as P_z illustrated in Figure 16.19.

Step 3: This is the basic process for secret image sharing with P_z as the secret, z = 1, 2, … Z, Z=⌊H×W6⌋. This procedure contains five substeps, which are performed as follows.

1. Take the value X_i formed from 2-MSBs (Most Significant Bits) of the four pixels of each cover CB_i as the value x specified in Equation 16.16, i = 1, 2 …, n, as shown in Figure 16.20, X_i = (c₇c₆d₇d₆g₇g₆h₇h₆)_D.

   F(xi)=(s+a1×xi1+a2×xi2+…+ak−1×xik−1)mod26⁢(16.16)

2. Take the secret P_z as the value s specified in Equation 16.16.

3. With a random number generator, generate a set of k − 1 integers a₁, a₂, a_k−1 in Equation 16.16, where k ≤ n.

4. For each X_i, compute the corresponding value of F(X_i) by Equation 16.16 to form a secret share (X_i, F(X_i)) for each participant in the secret sharing group, F(X_i) = f₅ f₄ f₃ f₂ f₁ f_0.

5. Hide the six data bits of F(X_i) in the Least Significant Bits of the four pixels C_i, D_i, G_i, and H_i of the corresponding cover block C B_i as shown in Figure 16.21.

Step 4: To prevent illicit attempts, a simple authentication ability is added here. Compute check bits pi by using Equation 16.17 and embed pi into the remaining LSBs of C_i, D_i, G_i, H_i from the same cover block where i = 1, 2, …, t. Note that t is the total number of check bits, which is discretionary and could be decided by the sender according to authentication strength. For simplicity, we take t = 2 as an example to explain the procedure as shown in Figure 16.22. Figure 16.23 illustrates a flowchart of this phase.

16.4.2 Reconstruction and Verifying Phase

This section describes the proposed secret recovery scheme and authentication scheme. Recall that after performing the secret sharing process for a group of n participants, each participant obtains one stego-image SI′j. The proposed process for stego-image authentication and secret image recovery is summarized in the following paragraphs.

Input: The random number generator used to generate integers a₁, a₂, …, a_k−1 in Equation 16.16, the secret key t used for generating the check bits (e.g., t = 2), and a set of at least k stego-images SI′j, say m ones, with k ≤ m ≤ n, j =1, 2, …, m.

Output: A report of failure of secret reconstruction, or the recovered secret image GI′ if all the stego-images are authenticated as genuine.

Step 1: Use the random number generator to generate a₁, a₂, a_k−1 in Equation 16.16.

Step 2: Divide each received stego-image SI′j, j = 1, 2,…, m, into 2 × 2 blocks CB′1,CB′2,…,CB′z and denote the four pixels in each block CB′z as C′z,D′z,G′z, and H′z as shown in Figure 16.24.

Step 3: For each stego-image SI′j from participant j, j ∈ {1, 2,…, m}, perform the following substeps for stego-image authentication.

1. t = 2, extract the 2-bit check bits from each block CB′z, as shown in Figure 16.25. P2=g′1,P1=h′1.

2. Calculate the data for verification according to Equation 16.18.

   

   FIGURE 451.16
   The four pixels of each stego block CB′j.

   {T=C′z‖D′‖G′z−g′1‖H′z−h′1P=T′mod2tP′={p′i|i∈{1,2,…t},p′i∈{0,1}},⁢(16.18)

3. If for each block, P′2=p2,P′1=p1, then regard the stego-image as having passed authentication and continue; otherwise, decide that the stego-image has been tampered with.

Step 4: If m′ stego-images have passed authentication in Step 3, and m′ ≥ k, then continue. For each collected stego-image SI′i,SI′i=SIi; otherwise, stop the program and report failure of the secret recovery step.

Step 5: For each z =1, 2, …, Z, Z=⌊H×W6⌋, perform the following sub-steps to recover the secret data P_z.

1. For each SI′i,i∈{1,2,…m′}, extract the 2 most significant bits (MSBs) of the four pixels of each cover as the value X_i specified in Equation 16.16, X=(c′7c′6d′7d′6g′7g′6h′7h′6)D; extract the data bits of F(X_i) from the LSBs of pixels C′i,D′i,G′i, and H′i, as shown in Figure 16.26, as a value of F(X_i) appearing in Equation 16.16.

2. By using the scheme described in Section 16.3.5, compute the corresponding value of y as the value P_z.

3. For each z = 1, 2, …, Z, Z=⌊H×W6⌋, perform last steps to obtain all of the P_z for the blocks of halftone image HI of the secret image GI.

Step 6: Apply the edge- and LUT-based inverse halftoning algorithm (ELUT, introduced in Section 16.3.4) to the halftone image HI to retrieve the gray-scale image GI′, i.e., the secret image.