A KARNAUGH MAP {2,2} SECRET SHARING SCHEME FOR COLOR IMAGES

KN Plataniotis

University of Torontokostas@comm.utoronto.ca

ABSTRACT

This paper introduces a simple, computationally attractive{2,2} secret sharing scheme visual suitable for processingcolor images. The new design utilizes matrix sets derivedusing a Kamaugh map. The encryption and decryption func­tions are executed at the bit level of the RGB color repre­sentation. The proposed scheme offers perfect reconstructionwith no pixel expansion. Analysis and experimental resultsincluding in this work support the main argument that thedeveloped scheme is ideal for transmission of color imagesover un-trusted, bandwidth limited, communication channels.

Index Terms- Secret sharing, security, color images,Kamaugh map, permutation.

1. INTRODUCTION

Digital data security and integrity preservation is ofparamountof importance in modem communication systems. The confi­dentiality of the transmitted data over digital communicationnetworks is usually obtained by encryption. However, thecritical vulnerability of the encryption algorithms arises fromthe single-point-failure issue which means that the encryptedinformation cannot be recovered if the encryption and/or de­cryption keys are lost or the encrypted content is changedor corrupted during the transmission [1]. Also, due to therapid advent of wireless and wired communication systems,numerous applications are provided whose security require­ments are beyond the most of the proposed solutions inconventional cryptography. These developments necessitatesolving challenging issues regarding integrity and security ofvisual data transmission through communication channels.

Visual data protection is achieved either by employingdata hiding techniques or through secret sharing of visualdata. Image data hiding techniques embed information bymodifying the original image to be transmitted in an imper­ceptible way [2]. Visual cryptography schemes on the otherhand are based on the principle of sharing secret informationamong a group of participants. The shared visual secret isrecovered only when a coalition of willing participants arepolling their shares together [3]. The main advantage ofsecretsharing schemes over encryption methodologies arises from

s. Stergiopoulos

Defence R&D Canada TorontoStergios.Stergiopoulos@drdc-rddc.gc.ca

replication of the encryption/decryption key to different par­ticipants instead of access to key by independent participantsto enhance the secrecy of the transmitted data through com­munication channel. However, it may increase the probabilityof key exposure by unauthorized channel users.

The performance of secret sharing schemes, when appliedto images are determined by : (i) quality of the recoveredimage and (ii) pixel expansion-m. The quality of the recon­structed image refers to the difference in contrast between theoriginal image and the recovered image. Pixel expansion (m)refers to the number of subpixels in the share images neededto represent a single pixel of the original input image. Obvi­ously the larger the value of factor m, the larger the size ofthe share. In the application considered in this work, sharesize must be controlled since most communication channelsare bandwidth constraint. Therefore, it is desirable to keep mas small as possible. Given the fact that color images, due totheir tristimulus representation, occupy much more space andrequire much more bandwidth for transmission, compared togray scale images, it is important to develop a visual cryp­tography scheme with no pixel expansion, in other words ascheme with m == 1 [2].

This paper is to propose secret sharing schemes whosereconstruction phase is operated without the need of humanvision system to preserve the content of the original input im­age. Most of the proposed secret sharing schemes intend tominimize pixel expansion or achieve perfect reconstruction.In [4] half-toning and dithering methods are used to controlpixel expansion. However half-toning reduces the quality ofthe input as well as that ofthe reconstructed original. Many ofthe existing schemes that offer no pixel expansion result in ei­ther poor quality reconstructed images or images that are notidentical to the original input. For example, the proposed in[5] scheme, has a pixel expansion factor m == 1 but it can notrestore the original image perfectly. The hybrid visual secretsharing scheme [6] has an adjustable pixel expansion at theexpense, however, of the reconstruction quality. The method­ology in [6] explains the trade offbetween share size and con­trast to introduce size adjustable visual secret sharing mecha­nism such that the user can choose the appropriate share sizeand the recovered image quality that fits an application. In [7]a color {2,2} secret sharing scheme with a pixel expansion

978-1-4244-3298-1/09/$25.00 2009 Crown DSP 2009

factor of m == 4 is proposed, however the solution cannotperfectly reconstruct the original input image. The methodhas an expansion factor of m == 1 but it does not offer perfectreconstruction, thus it is of limited applicability. The schemein [8] perfectly reconstructs the original input image due toits reciprocal encryption and decryption functions but it has apixel expansion factor of m > 1. It is therefore, unsuitable forthe cost-effective transmission of images over bandwidth con­strained communication channels. The proposed frameworkin [9] utilizes a block based algorithm in F25 I (a finite fieldwith 251 elements) to generates shares which are smaller thanthe input image in size. However, its performance is affectedby the distribution of the input image pixels.

The main contribution of this paper is the developmentof a cost effective, simple to implement {2, 2} secret sharingschemes for color images that perfectly reconstructs the inputimage. The proposed algorithms can be viewed as the basicsolution of a generic {t, n} secret sharing problem for colorimages. Although many previously published works explic­itly differentiate between {2, 2} and {t, n} schemes becausetheir {2, 2} decryption function is pixel based while the cor­responding {t, n} is block based [8], the proposed here solu­tion follows the exact same design regardless of the numberof shares and/or participants. The proposed scheme operatesdirectly on the bit plane representation of the input imageand produce noise-like shares. Similar to the proposed bit­level based scheme in [8], the presented framework utilizesbit-level decomposition methodology to generate the visualshares and perfectly recover the input image while achievingsmaller pixel expansion which makes it readily applicable inbandwidth constraints application scenarios. Using recipro­cal encryption and decryption procedures, the secret sharingscheme recovers the input image and makes it readily avail­able for subsequent image processing tasks. The matrix setsdriven by Kamaugh map design allows for a very simple, un­like other recently proposed schemes that require a compli­cated mathematical apparatus, for a flexible share generationprocedure.

2. THE PROPOSED SECRET SHARING SOLUTION

A secret sharing scheme typically follows the general accessstructure developed by Ateniese et al [10]. The model de­scribes a set of qualified subsets rQual and a set of forbid­den subsets r Forb on n participants P == {I, 2, ... , n}. Onlythe participants of any qualified subset can jointly reconstructthe input image. The pair (TQual, r Forb) is called the ac­cess structure of the scheme. In the schemes proposed herer Qual == {PI, P2 } where Pi is i t h participant. This is due tothe fact that the reconstructing phase of our {2, 2} proposedalgorithms is performed by polling of all of visual shares.

Choosing an appropriate color representation for process­ing tasks is a fundamental problem in image processing andcomputer vision. Color images are usually represented in

the RGB color space for both visualization and storage. Agiven color in the RGB color space can be described by in­dicating the value of each of the red, green and blue colorthat is included in it. Each can vary between the minimum(no color) and maximum (full intensity). Since each of thesecolor components can vary between zero to 255, RGB spaceis usually viewed as the 3-dimensional cube [1]. In RGBspace, a given color image A is defined as A : Z2 ---* Z3.In other words, it is considered to be a (KI X K 2) matrixwith each of its elements being a three-dimensional vector.Each pixel has three color components-red,green and blue­with intensity values ranging from 0 to 255. Thus each ofthese color pixels is represented using 24 bits according to theformula: A(i,j) == [a(i,j)l, a(i,j)2, a(i,j)3]' where (i, j) (fori == 1,2, ... , K I andj == 1,2, ... , K 2 ) and c == 1,2 or 3 are thespatial position and color channels respectively with c == 1denoting the R component, C == 2 denoting the G componentand c == 3 indicating the B component. Using the bit-levelnotation, the a(i,j)c element of the color vector A(i,j) can

be expressed as follows: a(i,j)c == L~=I aZi,j)c28-k, where

aZi,j)c equals to binary zero or one (bit) with k == 1 denotingthe most significant bit (MSB). In the proposed schemes theRGB representation is considered.

2.1. Encryption

The original input image is transformed into a noise like im­age by permuting all pixels according to a secret key. Apermutation step is used to decrease the correlation betweenneighboring pixels needed for increasing the randomness ofthe shares. Given an input color image of size (KI X K 2), twomatrices Rand C with corresponding dimensions (KI X K I)

and (K2 x K 2 ) are required for the implementation of thepermutation module. These matrices have to be transmittedalong with the generated shares to the receiver end ofthe com­munication channel. These matrices can be transmitted onlineduring the actual operation or they can be pre-transmitted dur­ing the communication link establishment phase. They can beused to share any number of images with size (KI X K 2) be­tween the same receiver-transmitter pair. It should be notedthat only one transmission of the permutation matrices percommunication session is needed. Further to that, if commu­nication resources need to be conserved, the permutation ma­trices can be compressed greatly due to their sparse structure(i.e. using lossless compression) without affecting the overallperformance. The defining characteristic of the two permu­tation matrices is that only a single 1 per row and column ispermitted while the rest of their elements are set to zero.

It can be seen that each column and each row containonly one 1 and there is not any zero row or column. Priorto encryption, a permutation step is applied on the originalinput image. The original input image A is permuted using:(Apermuted == (R x A) x C). The encryption procedure isapplied on the permuted image. In the original proposal of

[11] each bit of the binary input image is replaced with a ran­domly selected row of some generator matrix using two setsof matrices by a given sharing policy. Our proposed schemeencrypts two original bits by mapping them to two other bitsthus offering no pixel expansion (m == 1). Therefore, theinput image and the two shares are of the same size. It is eas­ily understood that for mapping two bits, there are only fourpossible combinations, namely {OO, 01,10,11}.

Based on these combinations, four (4 x 4) encryption ma­trices are defined as follows:

E 10 == [~ ~ : :] E 11 == [~ ~ ~ ~] (2)110 1 101 0

where Ei j is the basis matrix for encrypting the binarytuple (i, j) (i, j == 0 or 1). The encryption module randomlyselects an integer indicator q E {1, 2, 3, 4} (since each of Eij

matrices has four rows and the dealer should choose one ofthem). Based on its outcome, the dealer uses the qth rowof Ei j matrix (Elj ) to encrypt the tuple (i, j). The first 2elements of Elj form the first share entry which relates to(i, j) while the remaining two elements form the entry for thesecond share.

Thus, the encryption function can be defined as: f e ( i, j) ==Eij == [felij, fe2ij] == [(h 11, h I 2), (h 21, h 22)] and Eij ==(h 11, h 12, h 21, h 22) where fekij and h t z (k, t, z == 1 or 2)are the kt h part of the encryption function for the tuple (i, j)and zth element of tth share, respectively. Certain conditionsand constraints are imposed during the matrix generator rowselection. For example, each of the 2-tuples (h 11, h 12) and(h 21, h 22) must be different from the original binary tuple(i, j) since shares must be significantly different from theinput image. As each row of encryption matrices has 4 el­ements, there are 24 == 16 possible choices for each row.However, the imposed constraints eliminate 7 choices (for­bidden combinations) from the Karnaugh map descriptionof these elements [12] (the row and column that contain thebinary tuple (i, j)). Thus, the permissible choices are basedon the remaining nine elements as they are defined by theKarnaugh map logic. For example, assuming that the dealerconsiders replacing the rows of matrix Eoo, the allowableoptions are restricted to the minterms marked in Fig. 3.

A minterm is a logical expression of n variables consist­ing of only the logical conjunction operator and the comple­ment operator. There are 2n minterms for n variables. Giventhe fact that in the proposed scheme there are four variables

Table 1. Summary of notation

Input(secret) S == (81,82,83,84,8S,86,87,88)

Shares S hI == (VI 21, V 341, V S61 , V 781)

Sh2 == (VI 22, V 342 , V S62 , V 782)

Reconstructed s: == (fd(VI2), fd(V34), fd(VS6), fd(V78))

{h 11, h 12, h 21, h 22}, the related 24 == 16 minterms are repre­sented in a (4 x 4) Karnaugh map logic. Each of the rows inthe defined encryption matrices can be considered as a four­tuple consisting of binary elements. In other words, each rowis a four bit string that can be represented in a (4 x 4) Kar­naugh map logic. It should be mentioned that the complexityof the proposed scheme is independent of the Karnaugh mapsize due to the fixed size of a Karnaugh map with four binaryvariables.

2.2. Decryption

Similar to the encryption step, the proposed decryption func­tion is also based on the Karnaugh map logic. Based on therows of encryption matrices, the decoding function can be de­fined as follows:

(0,0) if hll·hI2·h21·h22 + hll.hI2.h21.h22

+hll.hI2·h21·h22 + hll.hI2.h21.h22 == 1(0,1) if hll·hI2.h21·h22 + hll.hI2.h21.h22

+hll.hI2.h21.h22 + hll.hI2.h21.h22 == 1(1,0) if hll.hI2·h21·h22 + hll.hI2.h21.h22

+hll.hI2·h21.h22 + hll.hI2.h21.h22 == 1(1,1) if hll.hI2.h21.h22 + hll.hI2.h21.h22

+hll.hI2·h21.h22 + hll.hI2.h21.h22 == 1(3)

where h i j (i, j == 1 or 2) means complement of h i j and(h 11, h 12, h 21, h 22) == Eij. The outcome of the expressionsin (3) has a value of 1 if and only if the corresponding rowwhich we built by concatenating elements from share 1 andshare 2 belongs to a single matrix in the set of matricesdefined during the encryption process. To find a booleanfunction, minterms that produce binary 1 are added modulo2. Boolean expressions in (3) correspond to functions thatare determined by adding some specified minterms modulo2. The logic expression for (i, j)-the output of the decodingprocess-with i, j == 0 or 1 is defined by adding the mintermscorresponding to E i j rows. If these specified minterms arerelated to E i j rows, the decoding function will return (i, j).The notation used in scheme B for sharing of one byte (eachof the a(i,j)c in equation (2)) of the original input image issummarized in Table I.

Fig. 1. The system level diagram of the proposed scheme

Fig. 2. A mapping of minterms on a Kamaugh map

(4)

It should be mentioned that it is possible to reveal one bit butthe permutation procedure refuses to be revealed in the exactposition.

In order to compare bandwidth utilization and thus thesize of the data that is sent through the communication chan­nel, we compare the proposed scheme with the solution in­troduced in [8]. In [8], in order to send a color image withsize (KI x K 2 ) in a {2, 2} scheme, two shares each with size(2KI x 2K2 ) must be sent, in other words to communicatevisual information of size (KI x K 2 ) , information with size(8K I x K 2 ) should be transmitted. In the proposed schemeB , for transmission of a color image of size (K I x K 2 ) , twoshares each with size (K I x K 2 ) and two permutation matri­ces with sizes (KI x Kd and (K2 x K 2 ) respectively need tobe sent. It is obvious that in our scheme the size of the trans­mitted data is less than [8]. It should be noted at this pointthat when a set of images of identical size are sent throughthe channel, the permutation matrices must be sent only oncesince the same permutation matrices can be used to decreasethe correlation of adjacent pixels of many different input im­ages with the same dimensionality. Further to that, when anumber of input images with different dimensions are to besent through the communication channel during the same ses­sion, there is no need to generate new permutation matricesevery time that an input image with different dimension ispresented by the transmitter. Note that the main characteris­tic of the permutation matrices is that they contain only one1 in each row and each column. Let us assume that a per­mutation matrix with size (K I x Kd (named PK ,) has beenconstructed and a permutation matrix with size (K3 x K3)(named PKJ is needed with K 3 > K I . The new matrix canbe defined as follows :

where 0 is a matrix with specified dimension with all itselements are zero. Given that PK, was available and alreadybe sent to the receiver, we just need to transmit PK 3- K , . Onthe other hand, if one of the rows and columns that have 1in their intersection position are randomly deleted from PK "

the remaining matrix is PK, - I. It means that if we deleteK 3 - K I rows and columns randomly from PK3 repeatedly,the remaining matrix is PK , . It means that the permutationmatrices are generated adaptively.

The performance ofthe proposed scheme may be affectedby attacks of adversaries on the permutation matrices. If anattacker successfully substitutes the permutation matrices atthe receiver, the proposed schemes may not be able to per­fectly reconstruct the original input image. It can also be ar­gued that an attacker may be able to modify the permutationmatrices so that the information about the original input is re­vealed in one of the shares. This is possible if and only ifa permutation matrix with most of its elements equal to one

KGBImage

(Al

h h21 22

MO M4 M12 M8

M1 M5 M13 M9N

.E

.J5.M3 M7 M15 M11

M2 M8 M14 M10

In secret sharing schemes are each of the two generatedshares must not reveal any information which can be used torecover the original input image. In the proposed here {2,2}scheme a single share by itself does not reveal any meaning­ful information about the original input image. For example,suppose f e(i,j) = [(h ll , h I 2 ) , (h 2 1 , h22 ) ]. A visual secretsharing scheme is secure if and only if (h ll ,h I 2 ) i=- (i,j)and (h 21 , h22 ) i=- (i ,j). The condition is satisfied because(h ll , h12 , h21 , h22 ) = Eb and due to the fact that none ofbinary tuples (h ll , h12 ) and (h 2 1 , h22 ) are equal to (i, j) dueto the encryption process. For exampl e to encrypt (0,0) thedealer chooses one of Eoo rows randomly. It is clear thatnone of2-tuples (h ll ,hI 2 ) and (h 2 1,h22 ) is equal to (0,0).

As it can be seen there 0:::; S :::; 255 (S is one byte con­sisting of eight bits), Si = °or 1 where 1:::; i :::; 8, Sh j isi h share of S: Vf(t+I) = (Vf(t+I)I , Vf(t+ 1)2) and Vf(t+ I)j =

f ej s , s, +, = (St j e, S(t+I) j e), where t = 1,3,5 or 7 and j = 1or 2 are used to indicates the elements ofthe shares and corre­sponding share respectively. The proposed scheme perfectlyreconstructs the permutated input image as it will be shown inthe experiments included in the next section. After decrypt­ing all pixels, the inverse of the permutation matrix is usedto provide the reconstructed outcome. Since the permutationstep does not change the nature or the dimension of the de­crypted image, it can be claimed that the proposed scheme isa sharing scheme with no pixel expansion that offers perfectreconstruction.

along the main diagonal. However, it is more realistic attackscenario may involve an adversary who:(i)changes the valuesof the permutation matrix such that the resulted matrix is nota valid permutation matrix, and/or (ii) substitutes the originalpermutation matrix with another one of the same dimension­ality. To prevent un-authorized modifications of the permuta­tion matrices by an adversary, hash functions can be utilized.For each permutation matrix, a hash value is computed andcommunicated to the receiver. If an adversary produces an­other permutation matrix or modifies the originally used ma­trix, the resulting hash value will be different from the hashvalue of the original permutation matrix. At the receiver, acomparison between the value of the received hash functionand the original hash value can be performed. If there is anydifference between them, it can not be acceptable and as aresult the attacks of adversaries can be detected.

3. EXPERIMENTAL RESULTS

Simulation results obtained by the proposed secret sharingscheme is provided in this section. The section includes acomparison between the proposed method and the solutionsdeveloped in [8] and [5]. We compare these algorithms byapplying them on the same sets of input images. Experimen­tation with a variety ofnatural images of practical importancewas introduced to demonstrate the effectiveness of the pro­posed schemes. It is important to note here that the perfor­mance evaluation is performed visually.

In Fig. 3 the proposed scheme is applied on the imageshown in Fig 3a with the generated shares depicted in Fig.3b-c and the reconstructed image shown in Fig. 3d. Thesetwo noise like images reveal no information about the origi­nal input. Simple visual inspection indicates that the size ofshares and that of input image is the same. The reconstructedimage is identical to the input due to the perfect reconstruc­tion property of the algorithm. In Fig. 4 the proposed schemein [8] is applied on the image shown in Fig 4a with its sharesdepicted at Fig. 4b-c and output shown in Fig. 4d. Visual in­spection of the results indicates that unlike our solutions, theshares generated are larger in size compared to the originalinput image. This is to be expected since the method of [8]has an expansion factor of m == 4. Consequently, the methodin [8] may not be a cost-effective solution for transmission ofcolor images over bandwidth limited communication chan­nels. The proposed schemes are also compared against thesolution introduced in [5] (see Fig. 5). Visual inspection ofthe results indicates that size of the original input image is aquarter of shares and the reconstructed images size (Fig. 5d).The scheme in [5] does not perfectly recover the original in­put image and the reconstructed image is darker than the orig­inaI input image. Thus, the method in [5] makes it difficult totransfer color images via bandwidth limited communicationchannels.

In Fig. 6 the result of changing the permutation matrices

by an adversary (during transmission through communicationchannel or at the receiver) is depicted. At the transmitter thepermutation matrices are used to decrease the correlation be­tween adjacent pixels in the original input image but due toattack of adversary, these matrices are changed and as a re­sult the recovered image is not similar to the original inputimage and in this case the secret sharing scheme can not per­fectly reconstruct the input secret image. In Fig. 7 the effectof using different permutation matrices before encryption isshown. Namely Fig. 7a-7d displays the original input, thegenerated shares and the reconstructed image when the samepermutation matrix set is used in both encryption and decryp­tion. Fig. 7e-7h displays results obtained using different per­mutation matrices at the encryption and decryption modules.It can be visually seen that in both cases the reconstructedimage is the same as the original input image because as dis­cussed before the most important thing about the permutationmatrices is their size and the permutation matrices that areused in transmitter and receiver must be the same.

4. CONCLUSIONS

A {2,2} secret sharing solution based on a Kamaugh map de­sign has presented in this paper. Our scheme does not ex­pand the input image. Depending on the actual application,the proposed schemes can be reconfigured to be best suitedfor the required bandwidth constraints. Using permutationbefore encryption process, the secrecy of the solution is en­hanced. Based on the experimental results, the scheme can beapplied to send color images over un-trusted, bandwidth lim­ited communication channels since the shares produced areidentical in size to the secret input image.

5. REFERENCES

[1] M. Heidarinejad, M. Yazi, and K.N. Plataniotis, "Algebraicvisual cryptography scheme for color images," Proceedings ofthe IEEE International Conference on Acoustics, Speech andSignal Processing, pp. 1761-1764, 2008.

[2] M Heidarinejad and K.N. Plataniotis, "A second generationvisual secret sharing scheme for color images," Proceedings ofthe IEEE International Conference on Image Processing, pp.481-484, 2008.

[3] C Chang and J Chuang, "An image intellectual property pro­tection scheme for gray-level images using visual secret shar­ing strategy," Pattern Recognition Letters, vol. 23, no. 8, pp.931-941, June 2002.

[4] Y Hou, F Lin, and C Chang, "Visual cryptography for colorimages without pixel expansion," Journal ofTechnology, vol.16,no.4,pp.595-603,2001.

[5] Y Hou, "Visual cryptography for color images," PatternRecognition, vol. 36, no. 7, pp. 1619-1629,2003.

[6] C Yang and T Chen, "Size-adjustable visual secret sharingschemes," IEICE Trans. Fundamentals, vol. E88-A, no. 9, pp.2471-2474, September 2005.

Fig. 5. The {2,2} visual secret sharing scheme of [5]: (a)Original image (b) Share I (c) Share 2, (d) Reconstructed im­age.

(d)

(b)

(e)

(a)

[7J Hou Young-Chang, "Visual cryptography for color images,"Pattern Recognition, vol. 36, pp. 1619-1629,2003 .

[8J R Lukac and K.N Plataniotis, "Bit-level based secret sharingfor image encryption," Pattern Recognition, vol. 38, no. 5, pp.767-772, May 2005.

[9J L. Bai, "A Reliable (k, n) Image Secret Sharing Scheme," Pro­ceedings ofthe 2nd IEEE International Symposium on Depend­able, Autonomic and Secure Computing (DASC'06)-Volume00, pp. 31-36, 2006.

[10J G. Ateniese, C. Blundo, A. De Santis, and D.R. Stinson, "Vi­sual Cryptography for General Access Structures," Informa­tion and Computation, vol. 129, no. 2, pp. 86-106, 1996.

[IIJ Moni Naor and Adi Shamir, "Visual cryptography," Ad­vances in Cryptography: Eurocrypt '94,Springer, pp. 1-12,1995-Berline.

[12J Maurice Kamaugh, "The map method for synthesis of combi­national logic circuits," Transactions ofAmerican Institute ofElectrical Engineers, vol. 72, no. 9, pp. 593-599, November1953.

(a) (b)

(a) (b)

Fig. 6. The effect of attack by an adversary: (a) Originalimage (b) Share I (c) Share 2, (d) Reconstructed image.

(e) (d)

(e) (d)

Fig. 3. The proposed method: (a) Original image (b) Share I(c) Share 2, (d) Reconstructed image.

(a) (b)

(a) (b)

(e) (d)

(e) (d)

Fig. 4. The {2,2} visual secret sharing scheme of [8]: (a)Original image (b) Share I (c) Share 2, (d) Reconstructed im­age.

(e) (I)

(g) (11)

Fig. 7. The effect of permutation matrices substitution.