Date post: | 09-Dec-2023 |
Category: |
Documents |
Upload: | independent |
View: | 0 times |
Download: | 0 times |
A KARNAUGH MAP {2,2} SECRET SHARING SCHEME FOR COLOR IMAGES
KN Plataniotis
University of [email protected]
ABSTRACT
This paper introduces a simple, computationally attractive{2,2} secret sharing scheme visual suitable for processingcolor images. The new design utilizes matrix sets derivedusing a Kamaugh map. The encryption and decryption functions are executed at the bit level of the RGB color representation. The proposed scheme offers perfect reconstructionwith no pixel expansion. Analysis and experimental resultsincluding in this work support the main argument that thedeveloped scheme is ideal for transmission of color imagesover un-trusted, bandwidth limited, communication channels.
Index Terms- Secret sharing, security, color images,Kamaugh map, permutation.
1. INTRODUCTION
Digital data security and integrity preservation is ofparamountof importance in modem communication systems. The confidentiality of the transmitted data over digital communicationnetworks is usually obtained by encryption. However, thecritical vulnerability of the encryption algorithms arises fromthe single-point-failure issue which means that the encryptedinformation cannot be recovered if the encryption and/or decryption keys are lost or the encrypted content is changedor corrupted during the transmission [1]. Also, due to therapid advent of wireless and wired communication systems,numerous applications are provided whose security requirements are beyond the most of the proposed solutions inconventional cryptography. These developments necessitatesolving challenging issues regarding integrity and security ofvisual data transmission through communication channels.
Visual data protection is achieved either by employingdata hiding techniques or through secret sharing of visualdata. Image data hiding techniques embed information bymodifying the original image to be transmitted in an imperceptible way [2]. Visual cryptography schemes on the otherhand are based on the principle of sharing secret informationamong a group of participants. The shared visual secret isrecovered only when a coalition of willing participants arepolling their shares together [3]. The main advantage ofsecretsharing schemes over encryption methodologies arises from
s. Stergiopoulos
Defence R&D Canada [email protected]
replication of the encryption/decryption key to different participants instead of access to key by independent participantsto enhance the secrecy of the transmitted data through communication channel. However, it may increase the probabilityof key exposure by unauthorized channel users.
The performance of secret sharing schemes, when appliedto images are determined by : (i) quality of the recoveredimage and (ii) pixel expansion-m. The quality of the reconstructed image refers to the difference in contrast between theoriginal image and the recovered image. Pixel expansion (m)refers to the number of subpixels in the share images neededto represent a single pixel of the original input image. Obviously the larger the value of factor m, the larger the size ofthe share. In the application considered in this work, sharesize must be controlled since most communication channelsare bandwidth constraint. Therefore, it is desirable to keep mas small as possible. Given the fact that color images, due totheir tristimulus representation, occupy much more space andrequire much more bandwidth for transmission, compared togray scale images, it is important to develop a visual cryptography scheme with no pixel expansion, in other words ascheme with m == 1 [2].
This paper is to propose secret sharing schemes whosereconstruction phase is operated without the need of humanvision system to preserve the content of the original input image. Most of the proposed secret sharing schemes intend tominimize pixel expansion or achieve perfect reconstruction.In [4] half-toning and dithering methods are used to controlpixel expansion. However half-toning reduces the quality ofthe input as well as that ofthe reconstructed original. Many ofthe existing schemes that offer no pixel expansion result in either poor quality reconstructed images or images that are notidentical to the original input. For example, the proposed in[5] scheme, has a pixel expansion factor m == 1 but it can notrestore the original image perfectly. The hybrid visual secretsharing scheme [6] has an adjustable pixel expansion at theexpense, however, of the reconstruction quality. The methodology in [6] explains the trade offbetween share size and contrast to introduce size adjustable visual secret sharing mechanism such that the user can choose the appropriate share sizeand the recovered image quality that fits an application. In [7]a color {2,2} secret sharing scheme with a pixel expansion
978-1-4244-3298-1/09/$25.00 2009 Crown DSP 2009
factor of m == 4 is proposed, however the solution cannotperfectly reconstruct the original input image. The methodhas an expansion factor of m == 1 but it does not offer perfectreconstruction, thus it is of limited applicability. The schemein [8] perfectly reconstructs the original input image due toits reciprocal encryption and decryption functions but it has apixel expansion factor of m > 1. It is therefore, unsuitable forthe cost-effective transmission of images over bandwidth constrained communication channels. The proposed frameworkin [9] utilizes a block based algorithm in F25 I (a finite fieldwith 251 elements) to generates shares which are smaller thanthe input image in size. However, its performance is affectedby the distribution of the input image pixels.
The main contribution of this paper is the developmentof a cost effective, simple to implement {2, 2} secret sharingschemes for color images that perfectly reconstructs the inputimage. The proposed algorithms can be viewed as the basicsolution of a generic {t, n} secret sharing problem for colorimages. Although many previously published works explicitly differentiate between {2, 2} and {t, n} schemes becausetheir {2, 2} decryption function is pixel based while the corresponding {t, n} is block based [8], the proposed here solution follows the exact same design regardless of the numberof shares and/or participants. The proposed scheme operatesdirectly on the bit plane representation of the input imageand produce noise-like shares. Similar to the proposed bitlevel based scheme in [8], the presented framework utilizesbit-level decomposition methodology to generate the visualshares and perfectly recover the input image while achievingsmaller pixel expansion which makes it readily applicable inbandwidth constraints application scenarios. Using reciprocal encryption and decryption procedures, the secret sharingscheme recovers the input image and makes it readily available for subsequent image processing tasks. The matrix setsdriven by Kamaugh map design allows for a very simple, unlike other recently proposed schemes that require a complicated mathematical apparatus, for a flexible share generationprocedure.
2. THE PROPOSED SECRET SHARING SOLUTION
A secret sharing scheme typically follows the general accessstructure developed by Ateniese et al [10]. The model describes a set of qualified subsets rQual and a set of forbidden subsets r Forb on n participants P == {I, 2, ... , n}. Onlythe participants of any qualified subset can jointly reconstructthe input image. The pair (TQual, r Forb) is called the access structure of the scheme. In the schemes proposed herer Qual == {PI, P2 } where Pi is i t h participant. This is due tothe fact that the reconstructing phase of our {2, 2} proposedalgorithms is performed by polling of all of visual shares.
Choosing an appropriate color representation for processing tasks is a fundamental problem in image processing andcomputer vision. Color images are usually represented in
the RGB color space for both visualization and storage. Agiven color in the RGB color space can be described by indicating the value of each of the red, green and blue colorthat is included in it. Each can vary between the minimum(no color) and maximum (full intensity). Since each of thesecolor components can vary between zero to 255, RGB spaceis usually viewed as the 3-dimensional cube [1]. In RGBspace, a given color image A is defined as A : Z2 ---* Z3.In other words, it is considered to be a (KI X K 2) matrixwith each of its elements being a three-dimensional vector.Each pixel has three color components-red,green and bluewith intensity values ranging from 0 to 255. Thus each ofthese color pixels is represented using 24 bits according to theformula: A(i,j) == [a(i,j)l, a(i,j)2, a(i,j)3]' where (i, j) (fori == 1,2, ... , K I andj == 1,2, ... , K 2 ) and c == 1,2 or 3 are thespatial position and color channels respectively with c == 1denoting the R component, C == 2 denoting the G componentand c == 3 indicating the B component. Using the bit-levelnotation, the a(i,j)c element of the color vector A(i,j) can
be expressed as follows: a(i,j)c == L~=I aZi,j)c28-k, where
aZi,j)c equals to binary zero or one (bit) with k == 1 denotingthe most significant bit (MSB). In the proposed schemes theRGB representation is considered.
2.1. Encryption
The original input image is transformed into a noise like image by permuting all pixels according to a secret key. Apermutation step is used to decrease the correlation betweenneighboring pixels needed for increasing the randomness ofthe shares. Given an input color image of size (KI X K 2), twomatrices Rand C with corresponding dimensions (KI X K I)
and (K2 x K 2 ) are required for the implementation of thepermutation module. These matrices have to be transmittedalong with the generated shares to the receiver end ofthe communication channel. These matrices can be transmitted onlineduring the actual operation or they can be pre-transmitted during the communication link establishment phase. They can beused to share any number of images with size (KI X K 2) between the same receiver-transmitter pair. It should be notedthat only one transmission of the permutation matrices percommunication session is needed. Further to that, if communication resources need to be conserved, the permutation matrices can be compressed greatly due to their sparse structure(i.e. using lossless compression) without affecting the overallperformance. The defining characteristic of the two permutation matrices is that only a single 1 per row and column ispermitted while the rest of their elements are set to zero.
It can be seen that each column and each row containonly one 1 and there is not any zero row or column. Priorto encryption, a permutation step is applied on the originalinput image. The original input image A is permuted using:(Apermuted == (R x A) x C). The encryption procedure isapplied on the permuted image. In the original proposal of
[11] each bit of the binary input image is replaced with a randomly selected row of some generator matrix using two setsof matrices by a given sharing policy. Our proposed schemeencrypts two original bits by mapping them to two other bitsthus offering no pixel expansion (m == 1). Therefore, theinput image and the two shares are of the same size. It is easily understood that for mapping two bits, there are only fourpossible combinations, namely {OO, 01,10,11}.
Based on these combinations, four (4 x 4) encryption matrices are defined as follows:
E 10 == [~ ~ : :] E 11 == [~ ~ ~ ~] (2)110 1 101 0
where Ei j is the basis matrix for encrypting the binarytuple (i, j) (i, j == 0 or 1). The encryption module randomlyselects an integer indicator q E {1, 2, 3, 4} (since each of Eij
matrices has four rows and the dealer should choose one ofthem). Based on its outcome, the dealer uses the qth rowof Ei j matrix (Elj ) to encrypt the tuple (i, j). The first 2elements of Elj form the first share entry which relates to(i, j) while the remaining two elements form the entry for thesecond share.
Thus, the encryption function can be defined as: f e ( i, j) ==Eij == [felij, fe2ij] == [(h 11, h I 2), (h 21, h 22)] and Eij ==(h 11, h 12, h 21, h 22) where fekij and h t z (k, t, z == 1 or 2)are the kt h part of the encryption function for the tuple (i, j)and zth element of tth share, respectively. Certain conditionsand constraints are imposed during the matrix generator rowselection. For example, each of the 2-tuples (h 11, h 12) and(h 21, h 22) must be different from the original binary tuple(i, j) since shares must be significantly different from theinput image. As each row of encryption matrices has 4 elements, there are 24 == 16 possible choices for each row.However, the imposed constraints eliminate 7 choices (forbidden combinations) from the Karnaugh map descriptionof these elements [12] (the row and column that contain thebinary tuple (i, j)). Thus, the permissible choices are basedon the remaining nine elements as they are defined by theKarnaugh map logic. For example, assuming that the dealerconsiders replacing the rows of matrix Eoo, the allowableoptions are restricted to the minterms marked in Fig. 3.
A minterm is a logical expression of n variables consisting of only the logical conjunction operator and the complement operator. There are 2n minterms for n variables. Giventhe fact that in the proposed scheme there are four variables
Table 1. Summary of notation
Input(secret) S == (81,82,83,84,8S,86,87,88)
Shares S hI == (VI 21, V 341, V S61 , V 781)
Sh2 == (VI 22, V 342 , V S62 , V 782)
Reconstructed s: == (fd(VI2), fd(V34), fd(VS6), fd(V78))
{h 11, h 12, h 21, h 22}, the related 24 == 16 minterms are represented in a (4 x 4) Karnaugh map logic. Each of the rows inthe defined encryption matrices can be considered as a fourtuple consisting of binary elements. In other words, each rowis a four bit string that can be represented in a (4 x 4) Karnaugh map logic. It should be mentioned that the complexityof the proposed scheme is independent of the Karnaugh mapsize due to the fixed size of a Karnaugh map with four binaryvariables.
2.2. Decryption
Similar to the encryption step, the proposed decryption function is also based on the Karnaugh map logic. Based on therows of encryption matrices, the decoding function can be defined as follows:
(0,0) if hll·hI2·h21·h22 + hll.hI2.h21.h22
+hll.hI2·h21·h22 + hll.hI2.h21.h22 == 1(0,1) if hll·hI2.h21·h22 + hll.hI2.h21.h22
+hll.hI2.h21.h22 + hll.hI2.h21.h22 == 1(1,0) if hll.hI2·h21·h22 + hll.hI2.h21.h22
+hll.hI2·h21.h22 + hll.hI2.h21.h22 == 1(1,1) if hll.hI2.h21.h22 + hll.hI2.h21.h22
+hll.hI2·h21.h22 + hll.hI2.h21.h22 == 1(3)
where h i j (i, j == 1 or 2) means complement of h i j and(h 11, h 12, h 21, h 22) == Eij. The outcome of the expressionsin (3) has a value of 1 if and only if the corresponding rowwhich we built by concatenating elements from share 1 andshare 2 belongs to a single matrix in the set of matricesdefined during the encryption process. To find a booleanfunction, minterms that produce binary 1 are added modulo2. Boolean expressions in (3) correspond to functions thatare determined by adding some specified minterms modulo2. The logic expression for (i, j)-the output of the decodingprocess-with i, j == 0 or 1 is defined by adding the mintermscorresponding to E i j rows. If these specified minterms arerelated to E i j rows, the decoding function will return (i, j).The notation used in scheme B for sharing of one byte (eachof the a(i,j)c in equation (2)) of the original input image issummarized in Table I.
Fig. 1. The system level diagram of the proposed scheme
Fig. 2. A mapping of minterms on a Kamaugh map
(4)
It should be mentioned that it is possible to reveal one bit butthe permutation procedure refuses to be revealed in the exactposition.
In order to compare bandwidth utilization and thus thesize of the data that is sent through the communication channel, we compare the proposed scheme with the solution introduced in [8]. In [8], in order to send a color image withsize (KI x K 2 ) in a {2, 2} scheme, two shares each with size(2KI x 2K2 ) must be sent, in other words to communicatevisual information of size (KI x K 2 ) , information with size(8K I x K 2 ) should be transmitted. In the proposed schemeB , for transmission of a color image of size (K I x K 2 ) , twoshares each with size (K I x K 2 ) and two permutation matrices with sizes (KI x Kd and (K2 x K 2 ) respectively need tobe sent. It is obvious that in our scheme the size of the transmitted data is less than [8]. It should be noted at this pointthat when a set of images of identical size are sent throughthe channel, the permutation matrices must be sent only oncesince the same permutation matrices can be used to decreasethe correlation of adjacent pixels of many different input images with the same dimensionality. Further to that, when anumber of input images with different dimensions are to besent through the communication channel during the same session, there is no need to generate new permutation matricesevery time that an input image with different dimension ispresented by the transmitter. Note that the main characteristic of the permutation matrices is that they contain only one1 in each row and each column. Let us assume that a permutation matrix with size (K I x Kd (named PK ,) has beenconstructed and a permutation matrix with size (K3 x K3)(named PKJ is needed with K 3 > K I . The new matrix canbe defined as follows :
where 0 is a matrix with specified dimension with all itselements are zero. Given that PK, was available and alreadybe sent to the receiver, we just need to transmit PK 3- K , . Onthe other hand, if one of the rows and columns that have 1in their intersection position are randomly deleted from PK "
the remaining matrix is PK, - I. It means that if we deleteK 3 - K I rows and columns randomly from PK3 repeatedly,the remaining matrix is PK , . It means that the permutationmatrices are generated adaptively.
The performance ofthe proposed scheme may be affectedby attacks of adversaries on the permutation matrices. If anattacker successfully substitutes the permutation matrices atthe receiver, the proposed schemes may not be able to perfectly reconstruct the original input image. It can also be argued that an attacker may be able to modify the permutationmatrices so that the information about the original input is revealed in one of the shares. This is possible if and only ifa permutation matrix with most of its elements equal to one
KGBImage
(Al
h h21 22
MO M4 M12 M8
M1 M5 M13 M9N
.E
.J5.M3 M7 M15 M11
M2 M8 M14 M10
In secret sharing schemes are each of the two generatedshares must not reveal any information which can be used torecover the original input image. In the proposed here {2,2}scheme a single share by itself does not reveal any meaningful information about the original input image. For example,suppose f e(i,j) = [(h ll , h I 2 ) , (h 2 1 , h22 ) ]. A visual secretsharing scheme is secure if and only if (h ll ,h I 2 ) i=- (i,j)and (h 21 , h22 ) i=- (i ,j). The condition is satisfied because(h ll , h12 , h21 , h22 ) = Eb and due to the fact that none ofbinary tuples (h ll , h12 ) and (h 2 1 , h22 ) are equal to (i, j) dueto the encryption process. For exampl e to encrypt (0,0) thedealer chooses one of Eoo rows randomly. It is clear thatnone of2-tuples (h ll ,hI 2 ) and (h 2 1,h22 ) is equal to (0,0).
As it can be seen there 0:::; S :::; 255 (S is one byte consisting of eight bits), Si = °or 1 where 1:::; i :::; 8, Sh j isi h share of S: Vf(t+I) = (Vf(t+I)I , Vf(t+ 1)2) and Vf(t+ I)j =
f ej s , s, +, = (St j e, S(t+I) j e), where t = 1,3,5 or 7 and j = 1or 2 are used to indicates the elements ofthe shares and corresponding share respectively. The proposed scheme perfectlyreconstructs the permutated input image as it will be shown inthe experiments included in the next section. After decrypting all pixels, the inverse of the permutation matrix is usedto provide the reconstructed outcome. Since the permutationstep does not change the nature or the dimension of the decrypted image, it can be claimed that the proposed scheme isa sharing scheme with no pixel expansion that offers perfectreconstruction.
along the main diagonal. However, it is more realistic attackscenario may involve an adversary who:(i)changes the valuesof the permutation matrix such that the resulted matrix is nota valid permutation matrix, and/or (ii) substitutes the originalpermutation matrix with another one of the same dimensionality. To prevent un-authorized modifications of the permutation matrices by an adversary, hash functions can be utilized.For each permutation matrix, a hash value is computed andcommunicated to the receiver. If an adversary produces another permutation matrix or modifies the originally used matrix, the resulting hash value will be different from the hashvalue of the original permutation matrix. At the receiver, acomparison between the value of the received hash functionand the original hash value can be performed. If there is anydifference between them, it can not be acceptable and as aresult the attacks of adversaries can be detected.
3. EXPERIMENTAL RESULTS
Simulation results obtained by the proposed secret sharingscheme is provided in this section. The section includes acomparison between the proposed method and the solutionsdeveloped in [8] and [5]. We compare these algorithms byapplying them on the same sets of input images. Experimentation with a variety ofnatural images of practical importancewas introduced to demonstrate the effectiveness of the proposed schemes. It is important to note here that the performance evaluation is performed visually.
In Fig. 3 the proposed scheme is applied on the imageshown in Fig 3a with the generated shares depicted in Fig.3b-c and the reconstructed image shown in Fig. 3d. Thesetwo noise like images reveal no information about the original input. Simple visual inspection indicates that the size ofshares and that of input image is the same. The reconstructedimage is identical to the input due to the perfect reconstruction property of the algorithm. In Fig. 4 the proposed schemein [8] is applied on the image shown in Fig 4a with its sharesdepicted at Fig. 4b-c and output shown in Fig. 4d. Visual inspection of the results indicates that unlike our solutions, theshares generated are larger in size compared to the originalinput image. This is to be expected since the method of [8]has an expansion factor of m == 4. Consequently, the methodin [8] may not be a cost-effective solution for transmission ofcolor images over bandwidth limited communication channels. The proposed schemes are also compared against thesolution introduced in [5] (see Fig. 5). Visual inspection ofthe results indicates that size of the original input image is aquarter of shares and the reconstructed images size (Fig. 5d).The scheme in [5] does not perfectly recover the original input image and the reconstructed image is darker than the originaI input image. Thus, the method in [5] makes it difficult totransfer color images via bandwidth limited communicationchannels.
In Fig. 6 the result of changing the permutation matrices
by an adversary (during transmission through communicationchannel or at the receiver) is depicted. At the transmitter thepermutation matrices are used to decrease the correlation between adjacent pixels in the original input image but due toattack of adversary, these matrices are changed and as a result the recovered image is not similar to the original inputimage and in this case the secret sharing scheme can not perfectly reconstruct the input secret image. In Fig. 7 the effectof using different permutation matrices before encryption isshown. Namely Fig. 7a-7d displays the original input, thegenerated shares and the reconstructed image when the samepermutation matrix set is used in both encryption and decryption. Fig. 7e-7h displays results obtained using different permutation matrices at the encryption and decryption modules.It can be visually seen that in both cases the reconstructedimage is the same as the original input image because as discussed before the most important thing about the permutationmatrices is their size and the permutation matrices that areused in transmitter and receiver must be the same.
4. CONCLUSIONS
A {2,2} secret sharing solution based on a Kamaugh map design has presented in this paper. Our scheme does not expand the input image. Depending on the actual application,the proposed schemes can be reconfigured to be best suitedfor the required bandwidth constraints. Using permutationbefore encryption process, the secrecy of the solution is enhanced. Based on the experimental results, the scheme can beapplied to send color images over un-trusted, bandwidth limited communication channels since the shares produced areidentical in size to the secret input image.
5. REFERENCES
[1] M. Heidarinejad, M. Yazi, and K.N. Plataniotis, "Algebraicvisual cryptography scheme for color images," Proceedings ofthe IEEE International Conference on Acoustics, Speech andSignal Processing, pp. 1761-1764, 2008.
[2] M Heidarinejad and K.N. Plataniotis, "A second generationvisual secret sharing scheme for color images," Proceedings ofthe IEEE International Conference on Image Processing, pp.481-484, 2008.
[3] C Chang and J Chuang, "An image intellectual property protection scheme for gray-level images using visual secret sharing strategy," Pattern Recognition Letters, vol. 23, no. 8, pp.931-941, June 2002.
[4] Y Hou, F Lin, and C Chang, "Visual cryptography for colorimages without pixel expansion," Journal ofTechnology, vol.16,no.4,pp.595-603,2001.
[5] Y Hou, "Visual cryptography for color images," PatternRecognition, vol. 36, no. 7, pp. 1619-1629,2003.
[6] C Yang and T Chen, "Size-adjustable visual secret sharingschemes," IEICE Trans. Fundamentals, vol. E88-A, no. 9, pp.2471-2474, September 2005.
Fig. 5. The {2,2} visual secret sharing scheme of [5]: (a)Original image (b) Share I (c) Share 2, (d) Reconstructed image.
(d)
(b)
(e)
(a)
[7J Hou Young-Chang, "Visual cryptography for color images,"Pattern Recognition, vol. 36, pp. 1619-1629,2003 .
[8J R Lukac and K.N Plataniotis, "Bit-level based secret sharingfor image encryption," Pattern Recognition, vol. 38, no. 5, pp.767-772, May 2005.
[9J L. Bai, "A Reliable (k, n) Image Secret Sharing Scheme," Proceedings ofthe 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'06)-Volume00, pp. 31-36, 2006.
[10J G. Ateniese, C. Blundo, A. De Santis, and D.R. Stinson, "Visual Cryptography for General Access Structures," Information and Computation, vol. 129, no. 2, pp. 86-106, 1996.
[IIJ Moni Naor and Adi Shamir, "Visual cryptography," Advances in Cryptography: Eurocrypt '94,Springer, pp. 1-12,1995-Berline.
[12J Maurice Kamaugh, "The map method for synthesis of combinational logic circuits," Transactions ofAmerican Institute ofElectrical Engineers, vol. 72, no. 9, pp. 593-599, November1953.
(a) (b)
(a) (b)
Fig. 6. The effect of attack by an adversary: (a) Originalimage (b) Share I (c) Share 2, (d) Reconstructed image.
(e) (d)
(e) (d)
Fig. 3. The proposed method: (a) Original image (b) Share I(c) Share 2, (d) Reconstructed image.
(a) (b)
(a) (b)
(e) (d)
(e) (d)
Fig. 4. The {2,2} visual secret sharing scheme of [8]: (a)Original image (b) Share I (c) Share 2, (d) Reconstructed image.
(e) (I)
(g) (11)
Fig. 7. The effect of permutation matrices substitution.