J. Vis. Commun. Image R. 25 (2014) 1093–1101

Contents lists available at ScienceDirect

J. Vis. Commun. Image R.

journal homepage: www.elsevier .com/ locate/ jvc i

Secret image sharing scheme with hierarchical threshold accessstructure

http://dx.doi.org/10.1016/j.jvcir.2014.03.0041047-3203/� 2014 Elsevier Inc. All rights reserved.

⇑ Corresponding author. Fax: +98 2122431655.E-mail addresses: n_pakniat@sbu.ac.ir (N. Pakniat), m.noroozi@mail.sbu.ac.ir

(M. Noroozi), z_eslami@sbu.ac.ir (Z. Eslami).

Nasrollah Pakniat, Mahnaz Noroozi, Ziba Eslami ⇑Department of Computer Sciences, Shahid Beheshti University, G.C., Tehran, Iran

a r t i c l e i n f o

Article history:Received 10 July 2013Accepted 7 March 2014Available online 19 March 2014

Keywords:CryptographySecret image sharingHierarchical threshold access structureCellular automataBirkhoff interpolationInformation hidingReversibilityTamper detection

a b s t r a c t

A hierarchical threshold secret image sharing (HTSIS) scheme is a method to share a secret image amonga set of participants with different levels of authority. Recently, Guo et al. (2012) [22] proposed a HTSISscheme based on steganography and Birkhoff interpolation. However, their scheme does not provide therequired secrecy needed for HTSIS schemes so that some non-authorized subsets of participants are ableto recover parts of the secret image. In this paper, we employ cellular automata and Birkhoff interpolationto propose a secure HTSIS scheme. In the new scheme, each authorized subset of participants is able torecover both the secret and cover images losslessly whereas non-authorized subsets obtain no informa-tion about the secret image. Moreover, participants are able to detect tampering of the recovered secretimage. Experimental results show that the proposed scheme outperforms Guo et al.’s approach in termsof visual quality as well.

� 2014 Elsevier Inc. All rights reserved.

1. Introduction

Sharing images over open channels such as the Internet has at-tracted considerable attention in recent years [1–8]. However,when it comes to sharing secret images, some challenging prob-lems should be solved first. The first one is the number of partiesthat can access the secret image. It is definitely a risk to considera single party due to the accidental or intentional loss/corruptionof such images that might occur. On the other hand, if several par-ticipants share parts of the secret image, care must be taken to en-sure that no malicious shareholder is able to manipulate his/herdata. The second concern is the need to keep invaders unawarenot only of the content of the secret image itself but also of the veryfact that an image is being transferred. Secret sharing schemeswhich protect and distribute a secret content among a group ofparticipants provide solutions to the first issue. In this regard, thebasic example, proposed first by Shamir [9] and Blakley [10], isthe concept of a ðt;nÞ-threshold secret sharing scheme whichencodes a secret data set into n shares and distributes them amongn participants in such a way that any t or more of the shares can becollected to recover the secret data, but any t � 1 or fewer of themprovides no information about the secret. Moreover, to ensurerecovery of the original secret information some authentication

process must be employed so that any manipulation of shares isdetected with high probability. To tackle the second concern, ste-ganographic techniques are usually employed [11–14]. In thesemethods, first some innocent looking images, called cover images,are selected. Then the secret data are embedded into cover imagesand the resulting stego images are distributed among participantsusing some secret sharing scheme. Clearly, in order not to invokesuspicion, the embedding should create high-quality stego imagessuch that the changes are not visually perceptible. So far, two mostpopular steganographic methods used in steganographic secretsharing schemes were the least significant bits (LSBs) replacementand the modulus operation.

A method of secret image sharing with steganography andauthentication proposed by Lin and Tsai [15] in 2004. Their schemeis an example of a lossy polynomial-based image sharing and thereconstructed secret image may be distorted slightly. Wu et al.[16] in 2004 proposed another scheme in which the secret imageis compressed firstly, and then embedded into the cover imagesby modulus operation. This approach can generate smaller stegoimages, but the original secret image cannot be retrieved com-pletely in the reconstruction procedure. To recover the secret im-age losslessly, the method introduced by Thien and Lin [17] canbe utilized which splits every pixel with value more than 250 intotwo pixels. Their method is effective, but the output images arerandom-looking which attracts the attention of malicious attack-ers. In order to overcome the defects in Lin and Tsai’s scheme, Yanget al. [18] used Galois field GFð28Þ instead of modulo 251 and

http://crossmark.crossref.org/dialog/?doi=10.1016/j.jvcir.2014.03.004&domain=pdfhttp://dx.doi.org/10.1016/j.jvcir.2014.03.004mailto:n_pakniat@sbu.ac.irmailto:m.noroozi@mail.sbu.ac.irmailto:z_eslami@sbu.ac.irhttp://dx.doi.org/10.1016/j.jvcir.2014.03.004http://www.sciencedirect.com/science/journal/10473203http://www.elsevier.com/locate/jvci

1094 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101

proposed an improved approach in 2007. The scheme proposed byEslami et al. [4] in 2009 is another example of a secret imagesharing scheme with steganography and authentication. Theirscheme is an effective lossless sharing scheme based on cellularautomata, but their access structure is restricted, i.e., only a subsetof some consecutive participants from an ordered set of partici-pants can form an authorized subset. Eslami and Ahmadabadi[5], Ulutas et al. [6] and Yang and Chu [7] are more recentexamples on this line of research.

In the above mentioned schemes, it is not possible for partici-pants to recover the cover image losslessly. However, in someapplications, such as medical diagnosis, law enforcement, militaryimaging system, remote sensing and high-energy particle physicalexperimental investigation, it is important to reverse the stegomedia back to original after the embedded data is retrieved fromit. Therefore, designing a secret image sharing scheme whichallows authorized participants to restore the distorted stego imageto original without distortion after retrieving the shared data isnecessary. Lin and Chan [19] proposed an invertible sharingscheme with steganography to recover the secret image and coverimage losslessly. Wu et al. [20] proposed another secret imagesharing based on cellular automata and steganography whichretrieves the secret and cover images both losslessly.

In reconstruction of the secret image of these schemes, eachstego image plays an equivalent role. However, a general thresholdaccess structure can have other useful properties for some applica-tions. For example, when the participants differ in their authority,an access structure which takes this difference into account may beuseful. A hierarchical threshold access structure is beneficial insuch situations. In a scheme with hierarchical threshold accessstructure, the secret is shared among a group of participants thatis partitioned into levels. The access structure is then determinedby a sequence of threshold requirements for these levels, e.g.,considering t0 < t1 < t2 < � � � as the sequence of threshold require-ments, a subset of participants is authorized to reconstruct thesecret if it has at least t0 participants from the highest level, as wellas at least t1ð> t0Þ participants from the two highest levels and soforth. In 2007, Tassa proposed a new secret sharing scheme basedon Birkhoff interpolation to deal with hierarchical threshold accessstructures [21]. However, unlike Shamir’s secret sharing scheme,Tassa’s scheme is not able to use all potentials of underlyingpolynomial to share multiple secrets. Using Tassa’s scheme toshare more than t0 secrets makes it possible for some non-authorizedsubset of participants to recover some of the secrets.

Based on Tassa’s scheme, Guo et al. in [22] proposed a hierarchi-cal threshold secret image sharing scheme with steganographicproperties. To the best of our knowledge, their scheme is the onlyexisting hierarchical threshold secret image sharing. In theirscheme, after sharing each block of the secret image using Tassa’sscheme, modulus operation is used to hide the shadow data intosome cover images. However, their scheme has the followingweaknesses:

� As the authors have mentioned in their paper, some non-authorized subsets of participants can obtain parts of the secretimage.� The cover image can not be losslessly recovered.� There is no authentication in their scheme. Therefore, a

malicious participant can make honest participants obtain afake secret image.� Compared to existing schemes in the literature with the same

threshold parameter, image quality of this scheme is notacceptable (see Section 2.2).

The aim of this paper is to employ cellular automata to proposea hierarchical threshold secret image sharing scheme which

overcomes the weaknesses of Guo et al.’s scheme. In the proposedscheme, secret and cover images are recovered losslessly. More-over, participants are able to check the originality of the recoveredsecret image. We also formally prove that non-authorized subsetsof participants can obtain no information about the secret image.As for the steganographic security, we follow the common method-ology considered so far in the context of secret image sharing, i.e.,steganographic methods are employed only to prevent noise-likeshadow data. Therefore, we consider visual quality of stego imagesto measure how (visually) susceptible stego images are. The exper-imental results indicate that the proposed scheme achieves abetter visual quality for stego images compared to Guo et al.’sscheme. Despite this, we would like to emphasize that the stegano-graphic method employed in our paper is rather weak (the same asalmost all existing literature on steganographic secret imagesharing) and well-designed steganalysis algorithms are able to de-tect the presence of hidden data in our stego images.

The rest of this paper is organized as follows. Section 2 reviewsGuo et al.’s hierarchical threshold secret image sharing scheme anddiscusses its weaknesses. An overview of cellular automata is alsoprovided in this section. In Section 3, we describe the proposedscheme. Security analysis and experimental results of our proposedscheme are provided in Sections 4 and 5, respectively. Finally, theconclusions of this paper are presented in Section 6.

2. Related work

In this section, we first describe Guo et al.’s scheme and then weexplain its weaknesses. The necessary background on cellular auto-mata which is the basis of our approach is also covered in thissection.

2.1. Review of Guo et al.’s hierarchical threshold secret image sharingscheme

Let U be a group of n participants P1; P2; . . . ; Pn divided intomþ 1 levels U0;U1; . . . ;Um and suppose that the sequence ofthreshold requirements t0; t1; . . . ; tm determines the hierarchicalthreshold access structure. Let SI be the secret image and letCI1; . . . ;CIn be the cover images corresponding to P1; . . . ; Pn. The ste-go image STGi corresponding to Pi is constructed using CIi and thePi’s share from SI, for i ¼ 1; . . . ;n. The details of Guo et al.’s schemeare as follows:

Setup: The dealer:

(1) Chooses a large prime number p.(2) Divides SI into ðtmÞ-pixel units D1; . . . ;Dl, where l ¼ MSI�NSItm

l mand MSI and NSI are the width and height of the secret image.

Sharing: For each unit Djð1 6 j 6 lÞ, the dealer:

(1) Constructs a ðtm � 1Þth degree polynomial FjðxÞ ¼ D1j þ D2j xþ

� � � þ Dtmj xtm�1ðmod pÞ, where Dijð1 6 i 6 tmÞ is ith pixel of Dj.

(2) Assigns to each participant Pi his share from Dj as

SHij ¼ Fðtk�1Þj ðiÞ, where k is such that Pi 2 Uk and F

ðtk�1Þj ðxÞ is

the ðtk�1Þth derivative of FjðxÞ.

Embedding: The dealer uses modulus operation to embed eachparticipant’s share from the secret image into his cover image CIiand obtains his stego image STGi.

Recovery: Given the stego images corresponding to an autho-rized subset of participants which satisfy the sequence of thresholdrequirements, one can recover the secret image as follows:

� Extracts the embedded data from each stego image.

N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101 1095

� Employs Birkhoff interpolation on extracted data to recover thesecret image SI.

2.2. Weaknesses of Guo et al.’s scheme

Guo et al. used tm pixels as coefficients of a polynomial ofdegree tm � 1 in the sharing phase. However, doing so makes itpossible for some non-authorized subsets of participants to recoversome parts of the secret image. To overcome this problem and asan alternative solution, the authors suggested to share only t0pixels in each construction of the polynomial. But, this solutionincreases the amount of the secret shadows and as a result thevisual quality of the stego images severely worsens. In theirscheme, the cover image can not be recovered losslessly and henceit’s not useful in applications where this property is needed (seeSection 1). Moreover, because of absence of an authenticationmethod in their scheme, a malicious participant can make honestparticipants obtain a fake secret image and remain unnoticed.

The visual quality of the stego images is related to the amountof shadow data which have to be embedded into the cover images.In most of the secret image sharing schemes in the literature, theamount of shadow data has been related to the threshold parame-ter, i.e., increasing the threshold parameter makes the amount ofshadow data decrease and therefore, the visual quality of stegoimages will be increased. Therefore, it is not fair to compare visualquality of two schemes, each using different parameters. In [22],the authors compared the result of their scheme using ð2;4;7Þ asthe sequence of threshold numbers and 10 as the total numberof participants, with results of other schemes such as [18] using3 as threshold number and 4 as the total number of participants.Compared to other schemes, by using the same parameters, theresult of implementing Guo et al.’s scheme in ordinary thresholdaccess structures is not acceptable.

2.3. One-dimensional linear memory cellular automata

Guo et al.’s secret image sharing scheme is based on Tassa’ssecret sharing scheme. In the sharing phase of Guo et al.’s scheme,the secrets (pixels of the secret image) are the coefficients of somepolynomial Fð�Þ (see Section 2). As the authors mentioned in theirpaper, some unauthorized subsets of participants are able torecover some of the coefficients and therefore, they can obtainsome pixels of the secret image. But, the perfect secrecy of Tassa’sscheme makes it impossible for unauthorized subsets of partici-pants to recover the fixed coefficient of polynomial Fð�Þ. To secureGuo et al.’s scheme, we need a method that allows a subset ofparticipants to recover pixels of the secret image whenever theyare able to recover all of the coefficients of Fð�Þ (including the fixedcoefficient). The method that we use in this paper is based oncellular automata. In the following, we review the definition andproperties of cellular automata.

A one-dimensional linear cellular automaton ðLCAÞ is a discretedynamical model which consists of an array of N cells with twopossible states s 2 f0;1g. For the ith cell, denoted by hii, weconsider the symmetric neighborhood of radius r which is definedas N i ¼ fhi� ri; . . . ; hii; . . . ; hiþ rig. Then, the state of each cell isupdated simultaneously in discrete time steps by means of a localtransition function of the following form:

aðTþ1Þi ¼Xrj¼�r

ajaðTÞiþj ðmod 2Þ; 0 6 i 6 N � 1; ð1Þ

where aðTÞi denotes the state of hii at time T and aj 2 Z2 for every j.Furthermore, if i � j ðmod NÞ, then it is assumed that aðTÞi ¼ a

ðTÞj to

ensure well-defined dynamics of the CA. Since there are 2r þ 1

neighboring cells for hii, there exist 22rþ1 LCAs and each of themcan be specified by an integer w called rule number which is definedas follows:

w ¼Xrj¼�r

aj2rþj: ð2Þ

The configuration of a LCA at time T is shown by the vector

CðTÞ ¼ ðaðTÞ0 ; . . . ; aðTÞN�1Þwhere C

ð0Þ is the initial configuration. Moreover,

the sequence fCðTÞg06T6k is called the evolution of order k of the LCA.The global function of the LCA is a linear transformation, U, whichdetermines the configuration at the next time step during the evo-

lution of the LCA, i.e., CðTþ1Þ ¼ UðCðTÞÞ.In Memory cellular automaton (MCA) [23] the state of neighbor-

ing cells at time T as well as T � 1; T � 2; . . . contribute to deter-mine the state at time T þ 1. Hereafter, by a CA, we mean aparticular type of MCA called the tth order linear MCA (LMCA)whose local transition function takes the following form:

aðTþ1Þi ¼ f1ðNðTÞi Þ þ f2ðN

ðT�1Þi Þ þ � � � þ ftðN

ðT�tþ1Þi Þ ðmod 2Þ;

0 6 i 6 N � 1; ð3Þ

where fj is the local transition function of a particular LCA with ra-

dius r (1 6 j 6 t) and N ðTÞi � ðZ2Þ2rþ1 stands for the state of the

neighboring cells of hii at time T. In this case, t initial configurationsCð0Þ; . . . ; Cðt�1Þ are required to start the evolution of LMCA. A cellularautomaton is said to be reversible if for every current configurationof the cellular automaton there is exactly one past configuration.For a reversible CA, there exists another CA, called its inverse, withglobal function U�1. In such CAs the evolution backward is possible(see [24]).

3. The proposed scheme

In this section, a new hierarchical threshold secret image shar-ing scheme is proposed to overcome the security weakness of Guoet al.’s scheme. We employ cellular automata to achieve this goal.We first provide an overview of the sharing and recovery phase ofour approach and then explain each phase in detail.

In order to share a set of tm secrets, we first set these secrets asinitial configurations of a cellular automaton (CA). Then, after re-quired number of evolutions of a properly constructed CA, we getthe resulting tm consequent configurations as temporal secretsand set them as the coefficients of a polynomial. Then, the shareof each participant is obtained using appropriate derivative ofthe polynomial. Now, in order to reconstruct the set of main se-crets, first all of the temporal secrets must be reconstructed. Thisis achieved through the use of Birkhoff interpolation in the scheme.Then, we are able to recover the set of main secrets using the in-verse of the CA. The proposed method has the ability to reconstructthe cover image losslessly by sharing the bits of cover images chan-ged during embedding. Moreover, we provide authentication prop-erty in the scheme by employing a hash function in theconfigurations of the CA (instead of bits of cover image) and there-fore, we don’t need to embed extra information for authenticationpurposes.

Suppose that there is a group U of n participants P1; P2; . . . ; Pnpartitioned into mþ 1 levels U0;U1; . . . ;Um and assume that thesequence of threshold requirements t0; t1; . . . ; tm determines thehierarchical threshold access structure. In the proposed scheme,we have one secret image SI and one cover image CI. The stegoimages fSTGigni¼1 are produced by embedding the shadow data cor-responding to participant Pi, into the cover image CI. The proposedscheme consists of 4 phases, (1) the setup phase, (2) the sharingphase, (3) the embedding phase and (4) the recovery and authen-tication phase. In the following, we describe each phase in detail.

1096 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101

3.1. The setup phase

In this phase, the dealer fixes some parameters and constructs areversible LMCA of order tm, denoted by M. In what follows, weconsider 1 byte for each pixel and we use q concatenated pixelsas a configuration of M. Therefore, the number of cells in each con-figuration of M is 8� q and this is why we assume 1 6 r 6 b8�q�12 c.Note also that for a rule number w, we must have0 6 w 6 22rþ1 � 1. Here are the detailed steps:

1. Assigns an identity number i to each participant Pi 2 U.2. Chooses a cryptographic hash function H : f0;1g8�q�ðtm�1Þ !f0;1g8�q.

3. Constructs a reversible LMCA (M):(a) Chooses 1 6 r 6 b8�q�12 c as the radius of the symmetric

neighborhood of the LMCA.(b) Chooses a random number 0 6 ws 6 22rþ1 � tm þ 1. The rule

numbers of the LMCA are then ws;ws þ 1; . . . ;ws þ tm � 2.(c) Constructs M of order tm by

aðTþ1Þj ¼ fws ðNðTÞj Þ þ � � � þ fwsþtm�2ðN

ðT�tmþ2Þj Þ

þ aT�tmþ1j ðmod 2Þ; ð4Þ

(a)

(b)Fig. 1. Diagram of the proposed scheme. (a) T

where 0 6 j 6 8� q� 1 and fwsþi is the local transition function ofthe LMCA with radius r and rule numbers ws þ i; 0 6 i 6 tm � 2.

3.2. The share generation phase

In the sharing phase, first, the dealer obtains all pixels of the se-cret image SI, denoted as SI ¼ fs1; s2; . . . ; sMSI�NSIg and divides SI intoðq� ðtm � 2ÞÞ-pixel units D1;D2; . . . ;Dl, where l ¼ MSI�NSIq�ðtm�2Þ

l mand

Dj;1 6 j 6 l is as follows:

D1;1j D1;2j � � � D

1;tm�2j

..

. ... . .

. ...

Dq;1j Dq;2j � � � D

q;tm�2j

26664

37775: ð5Þ

The dealer also divides the cover image CI into blocks D01;D02; . . . ;D

0l0 ,

where each block contains 4� q pixels. The details of this phase, de-picted in Fig. 1(a), are as follows:

The dealer:

1. Divides SI into ðq� ðtm � 2ÞÞ-pixel units D1;D2; . . . ;Dl.2. Divides CI into (4� q)-pixel blocks D01;D

02; . . . ;D

0l0 .

3. Repeats for j ¼ 1; . . . ; l:(a) For k ¼ 0; . . . ; ðtm � 3Þ:

he sharing phase. (b) The recovery phase.

N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101 1097

i. Sets initial configuration CðkÞ of M as ðD1;kþ1j Þ2k � � � kðDq;kþ1j Þ2,

where ðxÞ2 means binary representation of x and k standsfor concatenation of two strings.

(b) Extracts the 2 least significant bits from each pixel in the jthunit of the cover image and concatenates them to obtainq� 8 bits. He now sets Cðtm�2Þ as the result of theconcatenation.

(c) Computes Cðtm�1Þ as HðCð0Þ; . . . ; Cðtm�2ÞÞ.(d) Computes evolutions of M of order 2� tm � 1 with the ini-

tial configurations Cð0Þ; . . . ;Cðtm�1Þ and obtains CðtmÞ; . . . ;Cð2�tm�1Þ.

(e) Constructs a ðtm � 1Þth degree polynomial FjðxÞ ¼ CðtmÞþCðtmþ1Þxþ � � � þ Cð2�tm�1Þxtm�1 over GFð2q�8Þ.

(f) Assigns to each participant Pi his share from jth unit asSHij ¼ F

ðtk�1Þj ðiÞ, where k is such that Pi 2 Uk; F

ðtk�1Þj ðxÞ is the

ðtk�1Þth derivative of FjðxÞ and t�1 ¼ 0.

In order to generate the stego image corresponding to Pi, so farthe string SHi1kSH

i2k � � � kSH

il, plus other information about M and SI

must be embedded in the cover image (CI). For lossless recovery ofthe cover image, the dealer shares another tm � 1 blocks from thecover image and obtains fSHilþ1g

n

i¼1 during the following steps:

1. For j ¼ 0; . . . ; tm � 2:(a) Sets initial configuration CðjÞ of M as the result of concatena-

tion of 2 LSBs of pixels in ðjþ lþ 1Þth block of the coverimage.

2. Computes Cðtm�1Þ as HðCð0Þ; . . . ;Cðtm�2ÞÞ.3. Computes evolutions of M of order 2� tm � 1 with the initial

configurations Cð0Þ; . . . ;Cðtm�1Þ and obtains CðtmÞ; . . . ;Cð2�tm�1Þ.4. Constructs a ðtm � 1Þth degree polynomial FðxÞ ¼ CðtmÞþ

Cðtmþ1Þxþ � � � þ Cð2�tm�1Þxtm�1 over GFð2q�8Þ.5. Assigns to each participant Pi 2 Uk, the share SHilþ1 ¼ F

ðtk�1ÞðiÞ.

Remark. As explained in [21], in order to make sure that everyauthorized subset of participants are able to recover both of thesecret and cover images losslessly, we have to choose q such that:

2q�8 > 2�tmþ2 � ðtm � 1Þtm�1

2 � ðtm � 1Þ!� nðtm�1Þ�ðtm�2Þ

2 : ð6Þ

3.3. The embedding phase

In this phase, the dealer produces final stego images by embed-ding the data obtained in previous phases into the cover image. Toensure that it is difficult to visually recognize that any data is

Fig. 2. (a) One block of the cover image consisting of 4� q bytes, (b) The embedding of thblock of CI.

hidden in the stego images, the embedding procedure must besuch that the visual quality of the results have no serious downtrend.

We embed the following data in CI and obtain the stego imageSTGi corresponding to Pi:

� i; ki: the assigned identity to Pi and the level to which Pibelongs.� t ¼< t0; t1; . . . ; tm >: the sequence of threshold numbers.� r; ws: the radius of the symmetric neighborhood and the initial

rule number of the LMCA.� MSI and NSI: the width and height of the secret image.� SHij; 1 6 j 6 lþ 1: the shares assigned to Pi.

We now outline the details of embedding procedure. The fore-going data, with the same ordering, is considered as an array of ele-ments in GFð2q�8Þ. Each element is embedded into one block of CIconsisting of 4� q bytes. Let ðd1; . . . ; d8�qÞ be the binary represen-tation of the element which has to be embedded in block B of CIwith pixels X1;X2; . . . ;X4�q with binary representation as inFig. 2(a). The embedding replaces the least significant bits ofX1;X2; . . . ;X4�q with d1; . . . ; d8�q as depicted in Fig. 2(b). Note thatthe embedding changes at most two of the LSBs in each byte ofB. This maintains the quality of stego images.

After obtaining the stego images (STGi; i ¼ 1; . . . ;n), the dealersends each stego image to the corresponding participant via a pub-lic channel.

Remark. Note that the only aim of using steganography alongwith the proposed secret image sharing is to prevent distributingnoise-like shadow data.

3.4. The recovery and verification phase

The details of this phase are depicted in Fig. 1(b). Suppose thattm participants, Pa1 ; . . . ; Patm , pool the stego images STGa1 ;STGa2 ; . . . ; STGatm to recover the secret image SI. Each STGai isdivided into a set of blocks with 4� q pixels from which theembedded data can be retrieved as follows:

1. For each ai; 1 6 i 6 tm:� Retrieve from STGai : ai; kai ; ws; r; t ¼ ht0; t1; . . . ; tmi;

MSI; NSI; SHaij ; 1 6 j 6 lþ 1.

2. Check the threshold numbers to verify if these participants areauthorized to recover the secret image.

3. Repeat for j ¼ 1; . . . ; l //reconstruct the jth unit of the secretimage:

e hidden data ðd1; . . . ; d8�qÞ in a stego block. (c) Distortion-free reconstruction of one

Fig. 3. (a)–(d) The test secret images. (e)–(p) The test cover images.

1098 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101

(a) Employ Birkhoff interpolation on pairs ðai; SHaij Þ; 1 6 i 6 tmto reconstruct a tm � 1 degree polynomial FjðxÞ. Supposethat FjðxÞ ¼ a0 þ a1xþ � � � þ atm�1xtm�1.

(b) Construct the inverse of M, i.e., ~M, with radius r, rule num-bers determined by ws and initial configurations:

~Cð0Þ ¼ atm�1; ~Cð1Þ ¼ atm�2; . . . ; ~Cðtm�1Þ ¼ a0 ð7Þ

and evolve ~M; 2� tm � 1 times to obtain ~CðtmÞ; . . . ; ~Cð2tm�1Þ.(c) Check if Hashð~Cð2tm�1Þ; . . . ; ~Cðtmþ1ÞÞ equals ~CðtmÞ or not.(d) Divide each ~CðiÞðtm þ 2 6 i 6 2tm � 1Þ into q bytes bi1; . . . b

iq.

The pixels of the jth unit of SI, that is, D1;1j ; . . . ;Dq;1j ;

. . . ;Dtm�2;1j ; . . . ;Dq;tm�2j , are taken as b

2tm�11 ; . . . ;b

2tm�1q ; . . . ;b

tmþ21 ;

. . . ;btmþ2q .

(e) To lossless recovery of the jth block of the cover image, usebinary representation of eC ðtmþ1Þ as depicted in Fig. 2(c).

4. Repeat 3a to 3c on fai; SHailþ1g16i6tm and recover the changed bitsin the last tm � 1 changed blocks of the cover image.

5. Restore the changed bits in the last tm � 1 blocks of the coverimage.

4. Security analysis

In this section, we prove that under the assumption of perfectsecrecy of Tassa’s scheme, the set of stego images correspondingto non-authorized subsets of participants reveals no informationabout the secret image. We first mention the following theoremwhich states a natural property of the memory cellular automata.The interested reader can find a proof in [25].

Fig. 4. An example of the ðf2;4;7g;10Þ hierarchical threshold case with reversible steganography. (a)–(j) The stego images generated by the proposed scheme. (k) Theextracted secret image. (l) The distortion-free recovered cover image.

N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101 1099

Theorem 1. Let M denote a tth order LMCA. Then, in order tocompute Cðjþ1Þ for some j P t � 1, exactly t configurationsCðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ are needed.

Now, we prove the following lemma which is a generalizationof Theorem 1.

Lemma 1. Let M denote a tth order LMCA. Then, withoutknowing exactly t configurations CðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ for somej P t � 1, it is not possible to compute any further configura-tions of M, i.e., it is not possible to compute CðjþkÞ for anyk P 1.

1100 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101

Proof. We prove by induction on k. Theorem 1 implies that the state-ment holds for k ¼ 1. Fix some j and suppose that the statementholds for some positive integer k. Therefore, it is not possible to com-pute CðjþkÞ without knowing t configurations CðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ.Now, Theorem 1 implies that in order to compute Cðjþkþ1Þ we haveto know CðjþkÞ;Cðjþk�1Þ; . . . ;Cðjþk�tþ1Þ. By the impossibility of comput-ing CðjþkÞ from induction hypothesis, we conclude that it is not possi-ble to compute Cðjþkþ1Þ without knowing all of the configurationsCðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ. This completes the proof. h

The following theorem shows that the proposed scheme satis-fies the security requirement needed in a hierarchical threshold se-cret image sharing scheme:

Theorem 2. Assuming the perfect secrecy of Tassa’s scheme, theproposed scheme is a secure hierarchical threshold secret imagesharing scheme, i.e., the set of stego images corresponding to any non-authorized subset of participants reveals no information about thesecret image.

Proof. Let A be an attacker and let B be an arbitrary non-autho-rized subset of participants. Perfect secrecy of Tassa’s schememakes it impossible for A to compute all the coefficients of f ð:Þfrom the set of stego images corresponding to B. Therefore, Aobtains less than tm consecutive configurations of eM . Now, Lemma1 implies that A can not compute any further configuration of eM .Therefore, he obtains no information about the blocks of the secretimage from stego images corresponding to B. h

5. Experimental results

In this section, we describe some experimental results to dem-onstrate the characteristics of the proposed scheme. To the best ofour knowledge, so far, there has been only one hierarchical thresh-old secret image sharing scheme in the literature [22]. Therefore,we compare the proposed scheme with this scheme. In order tomeasure the distortion of the stego images, the peak signal-to-noise ratio (PSNR) can be used:

PSNR ¼ 10� log10ð255Þ2

MSEdB; ð8Þ

where MSE is the mean-square error between the cover image andthe stego image. If the cover image is sized f � g; MSE is defined as

MSE ¼ 1f � g

Xfi¼1

Xgj¼1ðxij � yijÞ

2; ð9Þ

Table 1The PSNR value (dB) of the stego images for different test cover images, n ¼ 10; t0 ¼ 2; t1

Test images PSNR (dB)

The first level The second level

1 2 3 4 5

Baboon 51.24 51.22 51.26 51.20 51Barbara 51.17 51.15 51.11 51.09 51Boat 51.00 51.04 50.98 51.00 51Cameraman 51.90 51.93 51.94 51.94 51Couple 50.93 50.94 50.92 50.99 50Elaine 50.88 50.90 50.88 50.90 50Girl 50.93 50.88 50.88 50.89 50House 52.32 52.30 52.31 52.27 52Lake 51.12 51.10 51.11 51.14 51Lena 51.12 51.11 51.08 51.11 51Man 51.11 51.10 51.11 51.15 51Peppers 51.03 51.09 51.05 51.07 51

where xij and yij denote the cover and the stego pixel values,respectively.

In this way, the higher the PSNR values are, the more difficultthe visual detection of existence of embedded data in the cover im-age is.

We perform experiments for n ¼ 10 and m ¼ 2, i.e., there are 10participants divided into 3 levels. Assume that there are 3 partici-pants in the first (highest) level, the second level contains 3 partic-ipants and the third (lowest) level includes 4 participants. Assumea sequence of threshold requirements t ¼ ht0; t1; t2i ¼ h2;4;7i; thatis at least 7 participants have to pool their shares together toreconstruct the secret image (of which at least 4 are from the firsttwo levels and at least 2 are from the first level). In order to dem-onstrate the visual perception of the stego images, we take ‘‘Air-plane’’ with size 256� 256 as the secret image (Fig. 3(a)) and‘‘Peppers’’ with size 512� 512 as the cover image (Fig. 3(p)).Fig. 4(a)–(j) displays the obtained stego images and their PSNR val-ues by using the proposed scheme. The distortion between the cov-er image and the stego images is slight and therefore, it is difficultfor intruders to suspect that some secret data is embedded in theimages. If the stego images involved meet the hierarchical thresh-old access structure, the proposed scheme is able to reconstructboth of the secret and cover images without distortion. The ex-tracted secret and cover images are shown in Fig. 4(k) and (l),respectively.

We performed similar experiments with different test images ascover image. Table 1 displays the PSNR values of the stego imagesachieved by the proposed scheme using ‘‘Airplane’’ with size256� 256 (Fig. 3(a)) as the secret image and twelve test imageswith size 512� 512 (Fig. 3(e)–(p)) as the cover images. The resultsshow that the PSNR values of the stego images always maintain asteady level and are within ½50:87;52:32�.

Table 2 compares the proposed scheme with Guo et al.’s schemein term of average PSNR values for ‘‘Airplane’’ as the secret imageand different cover images. The results show that by using the pro-posed scheme, we can achieve far better visual quality. That is be-cause, in Guo et al.’s scheme, the authors generated polynomialsover GFðpÞ (where p is a large prime) and used one pixel as one se-cret in GFðpÞ. However, in the proposed scheme we generate poly-nomials over GFð2q�8Þ and we use q concatenated pixels as onesecret. Hence, compared to Guo et al.’s scheme, less data must beembedded in our scheme.

Table 3 shows the average PSNR values of the stego images ob-tained by the proposed scheme using different test secret images(Fig. 3)) and different access structures while the cover image isfixed to be Peppers (Fig. 3(p)). The results show that the visualquality of the stego images obtained by the proposed methoddoesn’t depend on the secret image.

¼ 4; t2 ¼ 7.

The third level

6 7 8 9 10

.22 51.27 51.21 51.23 51.22 51.26

.16 51.16 51.14 51.12 51.09 51.13

.00 51.02 51.05 51.02 51.02 50.98

.91 51.92 51.96 51.93 51.93 51.94

.93 50.93 50.94 50.91 50.93 50.94

.92 50.89 50.89 50.91 50.93 50.91

.93 50.90 50.89 50.92 50.87 50.92

.28 52.27 52.30 52.27 52.27 52.27

.08 51.12 51.12 51.09 51.10 51.07

.09 51.13 51.10 51.13 51.08 51.11

.14 51.14 51.16 51.10 51.16 51.09

.03 51.08 51.03 51.10 51.07 51.08

Table 3The average PSNR value (dB) of the stego images for different test secret images (Fig. 3(a)–(d)) and different access structures using Peppers (Fig. 3(i)) as the cover image.

Secret images Average PSNR (dB)

n ¼ 8; M ¼ 2 n ¼ 10; M ¼ 3 n ¼ 12; M ¼ 4NPL ¼ 2;5 NPL ¼ 3;3;4 NPL ¼ 2;3;3;4

t ¼ h1;4i t ¼ h2;5i t ¼ h1;3;6i t ¼ h2;4;7i t ¼ h1;3;5;7i t ¼ h2;4;6;8i

Airplane 47.05 48.81 50.10 51.06 51.07 51.86Bridge 47.05 48.82 50.10 51.07 51.07 51.85Earth 47.06 48.81 50.11 51.07 51.07 51.85Splash 47.05 48.81 50.09 51.07 51.08 51.86

n: The total number of participants.M: the number of hierarchical levels.NPL: the number of participants in each of M hierarchy levels.t: The required sequence of threshold numbers to reconstruct the secret image.

Table 2Comparisons of optimal image quality between the proposed scheme and Guo et al.’s scheme for different cover images.

Schemes Average PSNRs

Baboon Boat Cameraman Couple Girl House Lake Lena Man Peppers

Ours 51.23 51.01 51.93 50.93 50.90 52.29 51.11 51.11 51.13 51.06Guo et al.’s 38.19 38.59 39.26 39.33 39.22 40.22 38.90 38.72 38.65 38.25

N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101 1101

6. Conclusion

In this paper, by using cellular automata and Birkhoff interpola-tion we propose a secret image sharing scheme which overcomesthe weaknesses of Guo et al.’s scheme. We also employ steganog-raphy to prevent noise-like shares. The proposed scheme has thefollowing advantages:

� It admits a hierarchical threshold access structure.� It is able to recover both of the secret and cover image

losslessly.� After lossless recovery of the secret and cover image, partici-

pants are able to check the validity of the secret image, i.e., theyare able to detect whether stego images are tampered or not.� The set of stego images corresponding to a non authorized sub-

set of participants reveals no information about the secretimage.� Compared to Guo et al.’s scheme, the stegos produced by the

proposed scheme have better visual quality.

However, the same as almost all existing steganographic secretimage sharing schemes, our method is not secure against steganal-ysis algorithms.

References

[1] M. Naor, A. Shamir, Visual cryptography, in: Lecture Notes in ComputerScience, vol. 950, 1994, pp. 1–12.

[2] W.-P. Fang, Friendly progressive visual secret sharing, Pattern Recogn. 41 (4)(2008) 1410–1414.

[3] J.-B. Feng, H.-C. Wu, C.-S. Tsai, Y.-F. Chang, Y.-P. Chu, Visual secret sharing formultiple secrets, Pattern Recogn. 41 (12) (2008) 3572–3581.

[4] Z. Eslami, S.H. Razzaghi, J.Z. Ahmadabadi, Secret image sharing based oncellular automata and steganography, Pattern Recogn. 43 (1) (2010) 397–404.

[5] Z. Eslami, J.Z. Ahmadabadi, Secret image sharing with authentication-chainingand dynamic embedding, J. Syst. Software 84 (5) (2011) 803–809.

[6] M. Ulutas, G. Ulutas, V.V. Nabiyev, Invertible secret image sharing for gray leveland dithered cover images, J. Syst. Software 86 (2) (2013) 485–500.

[7] C.-N. Yang, Y.-Y. Chu, A general (k,n) scalable secret image sharing schemewith the smooth scalability, J. Syst. Software 84 (10) (2011) 1726–1733.

[8] X. Wu, W. Sun, Secret image sharing scheme with authentication and remedyabilities based on cellular automata and discrete wavelet transform, J. Syst.Software 86 (4) (2013) 1068–1088.

[9] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612–613.[10] G.R. Blakley, Safeguarding cryptographic keys, in: Proceedings of the National

Computer Conference, vol. 48, 1979, pp. 313–317.[11] R.-Z. Wang, C.-F. Lin, J.-C. Lin, Image hiding by optimal LSB substitution and

genetic algorithm, Pattern Recogn. 34 (3) (2001) 671–683.[12] C.-C. Chang, J.Y. Hsiao, C.-S. Chan, Finding optimal least-significant-bit

substitution in image hiding by dynamic programming strategy, PatternRecogn. 36 (7) (2003) 1583–1595.

[13] C.-K. Chan, L.-M. Cheng, Hiding data in images by simple LSB substitution,Pattern Recogn. 37 (3) (2004) 469–474.

[14] C.-C. Thien, J.-C. Lin, A simple and high-hiding capacity method for hidingdigit-by-digit data in images based on modulus function, Pattern Recogn. 36(12) (2003) 2875–2881.

[15] C.-C. Lin, W.-H. Tsai, Secret image sharing with steganography andauthentication, J. Syst. Software 73 (3) (2004) 405–414.

[16] Y.-S. Wu, C.-C. Thien, J.-C. Lin, Sharing and hiding secret images with sizeconstraint, Pattern Recogn. 37 (7) (2004) 1377–1385.

[17] C.-C. Thien, J.-C. Lin, Secret image sharing, Comput. Graph. 26 (5) (2002) 765–770.

[18] C.-N. Yang, T.-S. Chen, K.H. Yu, C.-C. Wang, Improvements of image sharingwith steganography and authentication, J. Syst. Software 80 (7) (2007) 1070–1076.

[19] P.-Y. Lin, C.-S. Chan, Invertible secret image sharing with steganography,Pattern Recogn. Lett. 31 (13) (2010) 1887–1893.

[20] X. Wu, D. Ou, Q. Liang, W. Sun, A user-friendly secret image sharing schemewith reversible steganography based on cellular automata, J. Syst. Software 85(8) (2012) 1852–1863.

[21] T. Tassa, Hierarchical threshold secret sharing, J. Cryptol. 20 (2) (2007) 237–264.

[22] C. Guo, C.-C. Chang, C. Qin, A hierarchical threshold secret image sharing,Pattern Recogn. Lett. 33 (1) (2012) 83–91.

[23] R. Alonso-Sanz, Reversible cellular automata with memory: two-dimensionalpatterns from a single site seed, Physica D 175 (1–2) (2003) 1–30.

[24] T. Toffoli, N. Margolus, Ininvertible cellular automata: a review, Physica D 45(1–3) (1990) 229–253.

[25] Z. Eslami, J.Z. Ahmadabadi, A verifiable multi-secret sharing scheme based oncellular automata, Inf. Sci. 180 (15) (2010) 2889–2894.

http://refhub.elsevier.com/S1047-3203(14)00060-1/h0020http://refhub.elsevier.com/S1047-3203(14)00060-1/h0020http://refhub.elsevier.com/S1047-3203(14)00060-1/h0025http://refhub.elsevier.com/S1047-3203(14)00060-1/h0025http://refhub.elsevier.com/S1047-3203(14)00060-1/h0030http://refhub.elsevier.com/S1047-3203(14)00060-1/h0030http://refhub.elsevier.com/S1047-3203(14)00060-1/h0035http://refhub.elsevier.com/S1047-3203(14)00060-1/h0035http://refhub.elsevier.com/S1047-3203(14)00060-1/h9000http://refhub.elsevier.com/S1047-3203(14)00060-1/h9000http://refhub.elsevier.com/S1047-3203(14)00060-1/h0040http://refhub.elsevier.com/S1047-3203(14)00060-1/h0040http://refhub.elsevier.com/S1047-3203(14)00060-1/h0040http://refhub.elsevier.com/S1047-3203(14)00060-1/h0045http://refhub.elsevier.com/S1047-3203(14)00060-1/h0045http://refhub.elsevier.com/S1047-3203(14)00060-1/h0045http://refhub.elsevier.com/S1047-3203(14)00060-1/h0050http://refhub.elsevier.com/S1047-3203(14)00060-1/h0055http://refhub.elsevier.com/S1047-3203(14)00060-1/h0055http://refhub.elsevier.com/S1047-3203(14)00060-1/h0060http://refhub.elsevier.com/S1047-3203(14)00060-1/h0060http://refhub.elsevier.com/S1047-3203(14)00060-1/h0060http://refhub.elsevier.com/S1047-3203(14)00060-1/h0065http://refhub.elsevier.com/S1047-3203(14)00060-1/h0065http://refhub.elsevier.com/S1047-3203(14)00060-1/h0070http://refhub.elsevier.com/S1047-3203(14)00060-1/h0070http://refhub.elsevier.com/S1047-3203(14)00060-1/h0070http://refhub.elsevier.com/S1047-3203(14)00060-1/h0075http://refhub.elsevier.com/S1047-3203(14)00060-1/h0075http://refhub.elsevier.com/S1047-3203(14)00060-1/h0080http://refhub.elsevier.com/S1047-3203(14)00060-1/h0080http://refhub.elsevier.com/S1047-3203(14)00060-1/h0085http://refhub.elsevier.com/S1047-3203(14)00060-1/h0085http://refhub.elsevier.com/S1047-3203(14)00060-1/h0090http://refhub.elsevier.com/S1047-3203(14)00060-1/h0090http://refhub.elsevier.com/S1047-3203(14)00060-1/h0090http://refhub.elsevier.com/S1047-3203(14)00060-1/h0095http://refhub.elsevier.com/S1047-3203(14)00060-1/h0095http://refhub.elsevier.com/S1047-3203(14)00060-1/h0100http://refhub.elsevier.com/S1047-3203(14)00060-1/h0100http://refhub.elsevier.com/S1047-3203(14)00060-1/h0100http://refhub.elsevier.com/S1047-3203(14)00060-1/h0105http://refhub.elsevier.com/S1047-3203(14)00060-1/h0105http://refhub.elsevier.com/S1047-3203(14)00060-1/h0110http://refhub.elsevier.com/S1047-3203(14)00060-1/h0110http://refhub.elsevier.com/S1047-3203(14)00060-1/h0115http://refhub.elsevier.com/S1047-3203(14)00060-1/h0115http://refhub.elsevier.com/S1047-3203(14)00060-1/h0120http://refhub.elsevier.com/S1047-3203(14)00060-1/h0120http://refhub.elsevier.com/S1047-3203(14)00060-1/h0125http://refhub.elsevier.com/S1047-3203(14)00060-1/h0125

Secret image sharing scheme with hierarchical threshold access structure1 Introduction2 Related work2.1 Review of Guo et al.’s hierarchical threshold secret image sharing scheme2.2 Weaknesses of Guo et al.’s scheme2.3 One-dimensional linear memory cellular automata

3 The proposed scheme3.1 The setup phase3.2 The share generation phase3.3 The embedding phase3.4 The recovery and verification phase

4 Security analysis5 Experimental results6 ConclusionReferences