scheme using latin square , feng liu , teng guo , rongquan...

IET Information Security

Research Article

Cheating prevention visual cryptographyscheme using Latin square

ISSN 1751-8709Received on 11th March 2016Revised 23rd July 2016Accepted on 31st August 2016E-First on 6th February 2017doi: 10.1049/iet-ifs.2016.0126www.ietdl.org

Yawei Ren1,2,3 , Feng Liu1,3, Teng Guo4, Rongquan Feng5, Dongdai Lin1

1State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, People'sRepublic of China2School of Information Management, Beijing Information Science and Technology University, Beijing 100192, People's Republic of China3University of Chinese Academy of Sciences, Chinese Academy of Sciences, Beijing 100190, People's Republic of China4School of Information Science and Technology, University of International Relations, Beijing 100091, People's Republic of China5School of Mathematical Sciences, Peking University, Beijing 100871, People's Republic of China

E-mail: [email protected]

Abstract: In the past decade, the researchers paid more attention to the cheating problem in visual cryptography (VC) so thatmany cheating prevention visual cryptography schemes (CPVCS) have been proposed. In this paper, the authors propose anovel method, which first makes use of Latin square to prevent cheating in VC. Latin squares are utilised to guide the choosingof authentication regions in different rows and columns of each divided block of the shares, which ensures that the choosing ofauthentication regions is both random and uniform. Without pixel expansion, the new method provides random regionsauthentication in each divided block of all shares. What is important is that the proposed method is applicable to both (k, n)-deterministic visual cryptography scheme ((k, n)-DVCS) and (k, n)-probabilistic visual cryptography scheme ((k, n)-PVCS).Experimental results and properties analysis are given to show the effectiveness of the proposed method.

1 IntroductionVisual cryptography (VC), first introduced by Naor and Shamir in1994 [1], is an example of secret sharing. The merit of VC is thatman can observe the recovered secret image through human visualsystem rather than complex computation. A k out of n visualcryptography scheme((k, n)-VCS) encodes a secret image SI into ndifferent noise shares so that SI can be revealed by stacking any kor more than k shares, and no information of S can be obtained byany fewer than k shares.

Since the research about VC has been developed for more than20 years, many visual cryptography schemes (VCS) have beendevised such as general access structure visual cryptographyscheme [2], extended visual cryptography scheme [3, 4],probabilistic visual cryptography scheme (PVCS) [5–7], multi-pixel encryption size invariant visual cryptography scheme [8, 9],random grid based visual cryptography scheme [10–15], taggedvisual cryptography scheme [16–18], progressive visualcryptography scheme [19, 20]. Recently, a book which givessystematical and comprehensive introduction about VC ispublished [21].

There exists the cheating problem in VC: cheaters supply somefake shares to victims and the victims cannot identify whether therevealed image is genuine or fake. It might result in large loss tothe victims. Therefore, many methods have been proposed toprevent cheating in VC. In 1999, Yang and Laih [22] proposed twomethods: one method needs a trusted authority (TA) to hold thespecial verification share for detecting fake shares and anothermethod encodes a secret pixel into m + n(n − 1) subpixels. DePrisco and De Santis. [23, 24] proposed a method which adds somecolumns to the basis matrices of (2, n)-VCS to prevent the accuratespeculation about original subpixel-blocks. Tsai et al. [25] adoptedgeneric algorithms to encrypt homogeneous secret images for theaid of cheating prevention. Horng et al. [26] proposed twomethods: the first one is realised by authenticating one part of eachshare and the second one makes use of the basis matrices of (2, n + l)-VCS (l ≥ 1) for (2, n)-VCS. Afterwards, Hu and Tzeng [27]applied three cheating methods to attack the first scheme in [22]and two schemes in [26] and proposed a (Γ, m + 2)-CPVCS.

However, Liu et al. [28] and Chen et al. [29] pointed out that the(Γ, m + 2)-CPVCS is not cheating immune. Liu et al. [28]proposed the authentication on the subpixel-blocks correspondingto some randomly chosen black (resp. white) secret pixels. Chen etal. [30] proposed the authentication on the shares corresponding tothe randomly chosen black (resp. white) regions of secret image intheir (2, n)-CPVCS.

The above methods all have one or more than onedisadvantages such as the follows: (i) Each share has extra pixelexpansion [22, 23, 26, 27]; (ii) Extra shares are used to authenticatethe shares [26, 27, 30]; (iii) Some methods need higher encodingcomputation [25]; (iv) Some methods have restriction on k [22, 23,26, 30]; (v) Some methods need TA's help to authenticate theshares [22]; (vi) Some methods are only applicable to deterministicvisual cryptography scheme (DVCS) [22, 27–30].

Considering the above disadvantages, we first propose a novelmethod to prevent cheating in VC using Latin square. Latin squareintroduces randomness and uniformity into the proposed method,which makes sure that the authentication regions are randomlychosen in different rows and columns of each divided block of theshares. As assistance, probability modification is utilised to embedthe authentication patterns in the stacking results of thecorresponding shares and verification shares. Without pixelexpansion, the proposed method provides random regionsauthentication in each divided block of all shares. The proposedmethod is proved to be effective theoretically and experimentally.

The rest of the paper is organised as follows. We introduce theformal definitions of VCS and cheating in VCS, preliminaryknowledge of Latin square are in Section 2. The proposed schemeis described in Section 3. The corresponding properties analysis isprovided in Section 4. In Section 5, we give experimental resultsand comparison to show the effectiveness of our method. At last,we conclude our work in Section 6.

IET Inf. Secur., 2017, Vol. 11 Iss. 4, pp. 211-219© The Institution of Engineering and Technology 2016

211

2 Preliminaries2.1 (k, n)-visual cryptography scheme

For (k, n)-VCS, where 2 ≤ k ≤ n, a secret image SI is encryptedinto n shares. The dealer (a trusted third party) distributes them to nparticipants. Any k or more than k participants can reconstruct thesecret image by stacking their shares, whereas fewer than kparticipants cannot obtain any information of the secret imageexcept for the share size. We give the formal definitions of (k, n)-DVCS and (k, n)-PVCS as follows. Definition 1: ((k, n)-DVCS [1]) A (k, n)-DVCS is composed of twocollections C0 and C1 of n × m Boolean matrices. The scheme isconsidered valid if and only if the following conditions are met:

i. (Contrast condition) For any matrix M ∈ C0, denote v0 as the‘or’ vector of any k of the n rows of M, then it satisfiesH(v0) ≤ l. For any matrix M ∈ C1, denote v1 as the ‘or’ vectorof any k of the n rows of M, then it satisfies H(v1) ≥ h. h and lare integers, which satisfy that 0 < l < h ≤ m.

ii. (Security condition) For any subset P = {i1, i2, …, ic}, c < k andP ⊂ {1, 2, …, n}, the two collections of c × m matrices Mb, forb ∈ {0, 1}, obtained by restricting the matrices of Cb (where b = 0, 1) to the i1, i2, …, ic rows are indistinguishable in the sensethat they contain the same matrices with the same frequencies.

In Definition 1, H(v) denotes the hamming weight of v. m iscalled the pixel expansion, which represents the loss in resolutionfrom the original image to the shared one. The value α = (h − l)/mis defined as the contrast in [1], which reflects the visual quality ofthe revealed secret image. m and α are two important parameters ofVC. Definition 2: ((k, n)-PVCS [6]) A (k, n)-PVCS is composed of twocollections C0 and C1 of n × 1 Boolean matrices. The scheme isconsidered valid if and only if the following conditions are met:

i. (Contrast condition) For any matrix M ∈ C0, denote p(0, k) asthe probability that the ‘or’ of any k of the n rows of M is 1,

which satisfies p(0, k) ≤ pl. For any matrix M ∈ C1, denotep(1, k) as the probability that the ‘or’ of any k of the n rows ofM is 1, which satisfies p(1, k) ≥ ph. pl and ph satisfy that0 < pl < ph ≤ 1.

ii. (Security condition) For any subset P = {i1, i2, …, ic}, c < k andP ⊂ {1, 2, …, n}, p(0, c) = p(1, c).

In Definition 2, pixel expansion m = 1 and the contrast isdenoted by α = ph − pl.

2.2 Latin square

Definition 3: An nL × nL matrix L is an nL × nL Latin square if andonly if every row of L is a permutation of {1, 2, …, nL} and everycolumn of L is a permutation of {1, 2, …, nL}.Up to now, there is no computational formula for the number ofnL × nL Latin squares. Table 1 shows that the number of nL × nLLatin squares grows exceedingly quickly with increasing nL.

2.3 Cheating in VCS

Two types of cheaters were discussed in [27]: one is a maliciousparticipant (MP) who is a legitimate participant and the other is amalicious outsider (MO) who does not belong to the set oflegitimate participants.

Our discussions of the cheating problem in VCS are based onthe above two types of cheaters and the following definition. Definition 4 ([23]): A VCS scheme is cheating immune if and onlyif the probability of the successful cheating in any pixel is less than1.

3 Proposed CPVCSThe proposed scheme endows each participant with the ability ofauthentication. Before participants prepare to stack their shares toreconstruct secret image, each participant needs to accomplishauthentication by checking the positions and number of the equal-size, solid black regions on the stacked results between hisverification share and other participants’ shares to identify thegenuineness of his gathered shares. Thus, we will detail theproposed scheme from two aspects: (i) share generation; (ii)authentication and reconstruction. Some notations in the proposedscheme are listed in Table 2.

3.1 Share generation phase

In this phase, a secret image SI is first encrypted into n originalshares DIi, i = 1, 2, …, n by using (k, n)-DVCS or (k, n)-PVCS.Herein, let the size of the shares be L × W. Meanwhile, n originalverification shares VI j, j = 1, 2, …, n having the same size withoriginal shares are generated, in which white pixel and black pixelrandomly emerge with the probability of 1/2, respectively. Andthen DIi, i = 1, 2, …, n and VI j, j = 1, 2, …, n are divided into Tblocks from left to right and from top to bottom, which are denotedas

DIi, z, 1 ≤ i ≤ n, 1 ≤ z ≤ T (1)

VI j, z, 1 ≤ j ≤ n, 1 ≤ z ≤ T (2)

where the size of each block is (n + 1)X × (n + 1)Y andT = (L × W)/((n + 1)X × (n + 1)Y). Each unit region (UR) is ablock partition with X × Y pixels, which is arranged in each one of(n + 1) × (n + 1) cells of one block. It is required that (n + 1)X |Land (n + 1)Y |W. Simultaneously, X, Y satisfy that XY /m′sufficiently approaches ⌈ XY

m′ ⌉, where m′ = m in (k, n)-DVCS and

m′ is the lowest common multiple value of column numbers of two

Table 1 Number of nL × nL Latin squares (2 ≤ nL ≤ 8)nL The number NnL

of nL × nL Latin squares

1 12 23 124 5765 161,2806 812,851,2007 61,479,419,904,0008 108,776,032,459,082,956,800

Table 2 Some notations and their descriptions in theproposed schemeNotations Descriptionsn The number of shares generated by (k, n)-VCS.pvi The ith element of the vector PV.

rmi The ith element of the array RM.

p(0, VI) The probability of a white pixel on an original verificationshare.

p(0, DI) The probability of a white pixel on an original share.Di(B) One block of the ith final share.

V j(B) One block of the jth final verification share.

+ Stacking operation, namely the ‘or’ operation.P( ∙ ) The probability of the event ∙.

212 IET Inf. Secur., 2017, Vol. 11 Iss. 4, pp. 211-219© The Institution of Engineering and Technology 2016

collections C0 and C1 in (k, n)-PVCS. The URs of the zth originalblocks Di, z and V j, z are denoted as:

DIi, z(URp, q), 1 ≤ p, q ≤ n + 1 (3)

VI j, z(URp, q), 1 ≤ p, q ≤ n + 1 (4)

To obtain clearer authentication results, the size X × Y cannot beless than 30 × 30 in practical application. Due to the size of UR,the secret image needs to be adjusted to the appropriate size. In (k,n)-DVCS, the moderate size (no less than 100 × 100) can meet therequirement, whereas the size of secret image is enlarged withincreased n in (k, n)-PVCS.

The key problem of this phase is block modification. Algorithm1 accomplishes this work. The steps of Algorithm 1 are describedas followings. Algorithm 1: (Block modification):

Input: the zth original blocks DIi, z and VI j, z .

Output: the zth final blocks Di, z and V j, z .

Step 1: Randomly generate one (n + 1) × (n + 1) Latin squareU = {up, q}, where 1 ≤ p, q ≤ n + 1.Step 2: Randomly choose n different numbers e1, e2, …, en from{1, 2, …, n + 1} and denote en + 1 as the remaining number.Randomly generate one n × n Latin square R = {ri, j}, whereri, j ∈ {e1, e2, …, en}.Step 3: Randomly generate a permutation vector PV on{1, 2, …, n}.Step 4: Select en + 1 and ri, pvi

with the probability of 1/2, wherei = 1, 2, …, n. If en + 1 is selected, then replace ri, pvi

with it and store ri, pvi in the

array RM. If not, then make ri, pvi

remain unchanged and store en + 1 in thearray RM.Step 5: Let ℱ be a mapping function. ℱ:URp, q → up, q,1 ≤ p, q ≤ n + 1. For all (p, q), 1 ≤ p, q ≤ n + 1 which satisfy thefollowing conditions, do Steps 6–7:Step 6: For 1 ≤ i, j ≤ n, Step 6.1: If i ≠ j and ℱ(URp, q) = ri, j, then apply URModification Rule 1 to modify the pixels of DIi, z(URp, q) andVI j, z(URp, q). Step 6.2: If i = j and ℱ(URp, q) = ri, j, then apply URModification Rule 2 to modify the pixels of DIi, z(URp, q) andVI j, z(URp, q).Step 7: For 1 ≤ i ≤ n, If ℱ(URp, q)) = rmi, then apply UR Modification Rule 2 tomodify the pixels of DIi, z(URp, q) and VIpvi, z

(URp, q).Step 8: The zth original blocks DIi, z and VI j, z have been modifiedand the zth final blocks Di, z and V j, z are obtained.

In Steps 1 and 2 of Algorithm 1, an (n + 1) × (n + 1) Latin squareU and an n × n Latin square R are randomly generated. The cells ofU marked by the same number are responsible to determine thepositions of random authentication regions of a block. In Steps 3and 4 ri, pvi

would be replaced by en + 1 with the probability 1/2, thusthe final matrix R is obtained. R ensures that the positions ofauthentication regions are random and non-overlapped on thestacked results between Di, z and V j, z, 1 ≤ i ≠ j ≤ n. In Step 5, thefunction ℱ establishes a one-to-one mapping between each UR ofone block and each element of U. Steps 6–7 of Algorithm 1accomplish pixels modification, which apply the following URmodification rules.UR modification rules

For the corresponding (p, q)th UR of the zth original blocksDIi, z(URp, q) = {dx, y} and VI j, z(URp, q) = {vx, y}(1 ≤ x ≤ X, 1 ≤ y ≤ Y), we give the following modification rules.

Rule 1: For 1 ≤ x ≤ X, 1 ≤ y ≤ Y,

If both dx, y and vx, y are white pixels, then select one of dx, y and vx, ywith the probability of 1/2 and modify the selected pixel into blackpixel.

Rule 2: For 1 ≤ x ≤ X, 1 ≤ y ≤ Y,

(a) If dx, y is white pixel, then modify it into black pixel with theprobability (1/2)p(0, VI).(b) If vx, y is white pixel, then modify it into black pixel with theprobability (1/2)p(0, DI).

Rule 1 makes the stacked result of two corresponding URs of oneshare and one verification share become solid black pattern,whereas by using Rule 2, the stacked result of them is noise image.Herein, we illustrate the procedure of Algorithm 1 by usingExample 1. Example 1: Let n = 3. Generate a 4 × 4 random Latin square

U =

1 3 2 42 4 3 14 2 1 33 1 4 2

. Randomly choose e1 = 1, e2 = 3, e3 = 4 from

{1, 2, 3, 4} and generate one 3 × 3 random Latin square

R =1 3 43 4 14 1 3

. The random permutation vector PV = (2, 1, 3) . In

accordance to Step 4, r1, 2, e4, r3, 3 are selected and RM = {2, 3, 2}.

Then R =1 3 42 4 14 1 3

.

In the table

+ V1(B) V2(B) V3(B)D1(B) 1 3 4D2(B) 2 4 1D3(B) 4 1 3

, the bold numbers are

the corresponding numbers of random authentication regions onthe blocks by stacking Di and V j, 1 ≤ i ≠ j ≤ 3. The regionsmarked by the numbers in Fig. 1 are different randomauthentication regions on the stacked blocks Di(B) + V j(B),1 ≤ i ≠ j ≤ 3. Algorithm 2: (Share generation):

Fig. 1 Random authentication regions on Di(B) + V j(B), 1 ≤ i ≠ j ≤ 3 inthe proposed (k,3)-CPVCS, where 2 ≤ k ≤ 3


213

Input: a secret image SI.Output: n shares Di, i = 1, 2, …, n and n verification shares V j,j = 1, 2, …, n.Step 1: Encrypt the secret image SI into n original shares DIi,i = 1, 2, …, n by using (k, n)-DVCS or (k, n)-PVCS.Step 2: Generate n original verification shares VI j, j = 1, 2, …, nhaving the same size of the original shares, in each of which blackpixel and white pixel randomly emerge with the probability of 1/2,respectively.Step 3: Divide DIi, i = 1, 2, …, n and VI j, j = 1, 2, …, n into non-overlapping blocks as depicted in (1) and (2) and continue to dividetheses blocks of DIi, i = 1, 2, …, n and VI j, j = 1, 2, …, n into(n + 1) × (n + 1) equal-size URs as depicted in (3) and (4).Step 4: Apply Algorithm 1 to modify some pixels of DIi, z andVI j, z, i, j = 1, 2, …, n, 1 ≤ z ≤ T, where T is the number of theabove blocks. Then n final shares Di, i = 1, 2, …, n and n finalverification shares V j, j = 1, 2, …, n are obtained.

Finally, we adopt Algorithm 2 to obtain n final shares Di,i = 1, 2, …, n and n final verification shares V j, j = 1, 2, …, n. Foreach verification share V j, j = 1, 2, …, n, the stacked imagesDi + V j are n−1 different images with solid black patterns, wherei ≠ j, i = 1, 2, …, n. When 1 ≤ i = j ≤ n, the stacked imagesDi + V j are noise images.

3.2 Authentication and reconstruction phase

Authentication phase:

Step 1: Each of the t (t ≥ k) participants checks whether the othert − 1 participants’ shares are noise images, in which thedistribution of white pixel and black pixel should be even,respectively.Step 2: Each of the t (t ≥ k) participants uses his verification shareto stack with the other t − 1 participants’ shares, respectively. Foreach stacked image, the checking steps are listed as follows.

Step 2.1: If there are n + 1 solid black patterns locating at differentrows and columns in each block of the stacked image, thecorresponding share will be accepted. Continue to check the nextstacked image.Step 2.2: If the number of solid black patterns is incorrect or somesolid black patterns are incomplete, the corresponding share will berejected. The authentication procedure stops.

Reconstruction phase:If all t (t ≥ k) shares are regarded as genuine after the

authentication phase, t(t ≥ k) participants will stack their shares toreconstruct the secret image.

4 Properties analysisIn this section, we prove that the proposed scheme is a validconstruction of (k, n)-CPVCS by Theorems 1–3 and Theorem 5,which has three properties: security property, contrast property andcheating prevention property.

4.1 Security property and contrast property

In the proposed scheme, the original shares generated by (k, n)-DVCS or (k, n)-PVCS and the initial verification shares aremodified. However, the modification rules are relevant to thepositions of randomly chosen authentication regions, which havenothing to do with secret pixels. The following lemmas andtheorems show that the proposed scheme has security property andcontrast property. Lemma 1: In the proposed scheme, each share is generated byevenly modifying white pixels of each original share into blackpixels with the probability of 1/4.

Proof: In each original share of the (k, n)-DVCS or (k, n)-PVCS,the distribution of white pixel and black pixel in each UR arealmost as same as p(0, DI) and p(1, DI). With the UR modificationrules, the probability of white pixels being modified in each UR is(1/2)p(0, VI). In each original verification share, black pixel andwhite pixel emerge with the probability of 1/2, respectively, thusp(0, VI) = 1/2. All URs of each original share are modified, thusthe probability of white pixels being evenly modified into blackpixels in each original share is 1/4.□

However, each participant has both a share and a verificationshare in the proposed scheme. To each verification share, we obtainthe following similar conclusion. Lemma 2: In the proposed scheme, each verification share isgenerated by evenly modifying white pixels of each originalverification share into black pixels with the probability of(1/2)p(0, DI). Proof: In each original verification share, the distribution of whitepixel and black pixel in each UR are almost the same as p(0, VI)and p(1, VI). With the UR modification rules, the probability ofwhite pixels being modified in each UR is (1/2)p(0, DI). In eachoriginal share, the probability distribution of white pixel p(0, DI) isdetermined by the construction of (k, n)-VCS. All URs of eachoriginal verification share are modified, thus the probability ofwhite pixels being evenly modified into black pixels in eachoriginal verification share is (1/2)p(0, DI).□ Theorem 1: The proposed (k, n)-CPVCS is secure. Proof: Since the construction of (k, n)-VCS has been proved that itsatisfies the security condition, we cannot obtain any secretinformation by stacking any less than k original shares. WithLemma 1, white pixels of each original share are evenly modifiedwith the probability of 1/4. In addition, the UR modification rulesare irrelevant to secret pixels. Hence, the proposed scheme has thesame security property with (k, n)-VCS.□ Theorem 2: The secret image can be revealed by stacking anygroup of t(t ≥ k) shares in the proposed (k, n)-CPVCS. Proof: Each share is generated by evenly modifying white pixels ofeach original share into black pixels with the probability of 1/4 inthe proposed scheme, which increases the darkness level of thewhite regions and black regions of the revealed secret image withthe same degree. However, the difference of the modified darknesslevel (3/4)t(h − l) or (3/4)t(ph − pl) is greater than 0, when any t(t ≥ k) shares are stacked. Therefore, secret image can be revealedon the stacked result of any group of t(t ≥ k) shares in the proposedscheme.□ Theorem 3: The solid black authentication patterns can be revealedby stacking the share Di and the verification share V j,1 ≤ i ≠ j ≤ n. Proof: If the UR is the randomly selected authentication region, thestacked result of two corresponding URs of one share and oneverification share become perfect black. If not, the black pixeldensity of the stacked result is 1 − (3/8)p(0, DI) + (3/16)p(0, DI)2.Thus, the solid black authentication patterns can be revealed on thestacked results of Di and V j, where 1 ≤ i ≠ j ≤ n.□

4.2 Cheating prevention

In the proposed scheme, the randomly chosen regions of each shareare authenticated, which implies that successful cheating dependson the correct speculation about the positions of the authenticationregions.

According to different numbers and types of cheaters, theanalysis about cheating prevention property of the proposedscheme is as follows.


i. For an MO, he has no information about the shares and theverification shares of the legal participants. The only work theMO can do is making some shares which are stacked to showthe fake image. The forged shares can be definitely detected atStep 2 of the authentication phase.

ii. For an MP, he has one share and one verification share, but hestill has no information about other shares and verificationshares. For the MP, the work he can do is choosing a fakeimage as secret image and generating some shares. The fakeimage can be revealed by stacking these shares with his ownshare. However, the MP has almost no information about thepositions of the authentication regions. Therefore, the forgedshares can be definitely detected at Step 2 of the authenticationphase too.

iii. For t′ (2 ≤ t′ ≤ n − 1) MPs, they can obtain some informationabout the positions of solid black patterns through stackingtheir respective shares with other MPs’ verification shares. Inaccordance with Algorithm 1, the positions of n + 1 solid blackpatterns in one block are determined by the (n + 1) × (n + 1)Latin square U and the n × n matrix R. Thus, the speculationabout the positions of random authentication regions isconverted to U and some elements of R.

Assumed that the t′ MPs totally obtain Nbp (t′ − 1 ≤ Nbp ≤ n + 1)groups of n + 1 solid black patterns in one block. The first work thet′ MPs to do is to guess the (n + 1) × (n + 1) Latin square U, whichis affected by the value of Nbp. P(U | Nbp) denotes the probability ofU being correctly guessed with known Nbp. Two facts of P(U | Nbp)are obtained:

(a) P(U | Nbp) = 1, for Nbp = n or n + 1.(b) P(U | Nbp) < 1, for t′ − 1 ≤ Nbp ≤ n − 1.

The second work is that the t′ MPs try to guess the correspondingnumbers of authentication regions in one block of the stackedresults between their respective shares and other n − t′ participants’verification shares.

Let I = {1, 2, …, n} and the index set of t′ MPs is{iMP1

, iMP2, …, iMPt′

} ⊂ I. The index set of other n − t′ participantsis I − {iMP1

, iMP2, …, iMPt′

}, denoted by { jRP1, jRP2

, …, jRPn − t′}. The

elements riMPg, jRPs

of R, 1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′ are the numbers

that t′ MPs try to guess. And then, the following lemma isobtained. Lemma 3: Given riMPg

, jMPw, ∀1 ≤ g ≠ w ≤ t′, then for

∀1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′, P(riMPg, jRPs

is correctly guessed) =

1/(n − t′ + 2).

Proof: ∀g, for w ≠ g, 1 ≤ w ≤ t′, riMPg, iMPw

are different t′ − 1numbers. Thus, riMPg

, jRPs can only be one number of the remain

n − t′ + 2 numbers. Furthermore, we obtainP(riMPg

, jRPsis correctly guessed) = 1/(n − t′ + 2), where

1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′.□With enlarged t′, the value of P(riMPg

, jRPs is correctly guessed)

increases, where 1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′. When t′ reaches themaximum n − 1, P(riMPg

, jRP1 is correctly guessed)= 1/3, where

2 ≤ g ≤ n. Furthermore, ∏g = 1n − 1 P(riMPg

, jRP1 is correctly guessed)

≤ 1/3!. Example 2: Suppose that P1 and P2 are two MPs in (2, 3) case. P1and P2 can gain r1, 2 and r2, 1. Without loss of generality, assume thatr1, 2 = 1, r2, 1 = 1 and r1, 2 = 1, r2, 1 = 2, the guessed results of r1, 3 andr2, 3 in 3 × 3 matrix R are listed in Table 3, in which Pr1, 3r2, 3

denotesP(r1, 3 and r2, 3 are correctly guessed). Given r1, 2 = 1, r2, 1 = 1,P(r1, 3 = 2)= P(r1, 3 = 3)= P(r1, 3 = 4)= 1/3, P(r2, 3 = 2)= P(r2, 3 = 3)= P(r2, 3 = 4)= 1/3 and Pr1, 3r2, 3

= 1/6. Meanwhile, whenr1, 2 = 1, r2, 1 = 2, P(r1, 3 = 2) = P(r1, 3 = 3) = P(r1, 3 = 4) = 1/3,P(r2, 3 = 1) = P(r2, 3 = 3) = P(r2, 3 = 4) = 1/3 and Pr1, 3r2, 3

≤ 1/6. The final work is guessing the positions of authentication

regions. Denote BARiMPgjRPs

as the position of authentication

regions in one block of the stacked result DiMPg+ V jRPs

,

1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′. Denote ARiMPgjRPs

as the positions of

authentication regions of the stacked result DiMPg+ V jRPs

,

1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′. Theorem 4: Given BARiMPg

jMPw, 1 ≤ g ≠ w ≤ t′, P(BARiMPg

jRPs is

correctly guessed)≤ 1/(n − t′ + 2), where1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′. Proof: For ∀1 ≤ s ≤ n − t′, 1 ≤ g ≠ w ≤ t′, ifBARiMPg

jRPs= BARiMPg

jMPw, then P(BARiMPg

jRPs is correctly guessed)

= 1/(n − t′ + 2). For ∀1 ≤ s ≤ n − t′, 1 ≤ g ≠ w ≤ t′, ifBARiMPg

jRPs≠ BARiMPg

jMPw, then P(BARiMPg

jRPs is correctly guessed)

= P(U | Nbp)/(n − t′ + 2). Thus, ∀1 ≤ g ≤ t′, 1 ≤ s ≤ n − t′,P(BARiMPg

jRPs is correctly guessed)≤ 1/(n − t′ + 2).□

In Example 2, while BAR12 = BAR21 = 1,P(BAR13 = 2) = P(BAR13 = 3) = P(BAR13 = 4) = P(U | 1)/3< 1/3

and

Table 3 Guessed results of r1, 3 and r2, 3 in 3 × 3 matrix R with known r1, 2 and r2, 1

r1, 2 r2, 1 r1, 3 r2, 3 Pr1, 3r2, 3r1, 2 r2, 1 r1, 3 r2, 3 Pr1, 3r2, 3

1 1 2 3 16

1 2 2 3 19

1 1 2 4 16

1 2 2 4 19

1 1 3 2 16

1 2 3 1 16

1 1 3 4 16

1 2 3 4 16

1 1 4 2 16

1 2 4 1 16

1 1 4 3 16

1 2 4 3 16

1 2 2 1 19


215

P(BAR23 = 2) = P(BAR23 = 3) = P(BAR23 = 4) = P(U | 1)/3< 1/3

.

when BAR12 = 1 and BAR21 = 2 are known, we obtainP(BAR13 = 2) = P(BAR23 = 1) = 1/3 andP(BAR13 = 3) = P(BAR13 = 4) = (P(U | 2)/3) < (1/3).P(BAR23 = 3) = P(BAR23 = 4) = (P(U | 2)/3) < (1/3). Corollary 1: Given BARiMPg

jMPw, 2 ≤ g ≠ w ≤ n, ∏g = 2

n P

(BARiMPgjRP1

is correctly guessed)≤ 1/3!. Corollary 2: Given ARiMPg

jMPw, 2 ≤ g ≠ w ≤ n, ∏g = 2

n P(ARiMPgjRP1

is correctly guessed)≤ 1/(3!)T, where T is the number of blocks. Corollary 3: For an MP, ∀ f , 1 ≤ f ≤ n − 1, P(ARiMP1

jRP f is

correctly guessed)≤ 1/Nn + 1T (n + 1)T, where Nn + 1 is the number of

(n + 1) × (n + 1) Latin squares and T is the number of blocks.The probability obtained in Corollary 2 is the probability with

which one honest participant can be successfully fooled by n − 1MPs. Corollary 3 shows that the probability of the successfulcheating only by one MP is far less than the probability inCorollary 2.

With the above analysis, we can obtain the following theorem: Theorem 5: The proposed scheme is a valid CPVCS. Proof: The authentication information about shares is unavailablefor an MO. For an MP and t′ (2 ≤ t′ ≤ n − 1) MPs, they cannotguess the positions of authentication regions of their shares withthe probability of 1. Hence, the fake shares can be detected in theauthentication phase. Furthermore, no pixel (pixels-block) of thevictims’ shares can be guessed with the probability of 1. Accordingto Definition 4, the proposed scheme is cheating immune.□

5 Experimental results and comparison5.1 Experimental results

The experimental results of the proposed (2, 3)-CPDVCS, (2, 3)-CPPVCS and (3, 3)-CPDVCS are shown in Figs. 2–4, in which thesize of the secret image is 256 × 256, 512 × 512, 256 × 256 and thesize of each UR is 32 × 24, 32 × 32, 32 × 32, respectively. InFigs. 2 and 3, we obtain the authentication images through stackingthe verification share V i with the share D j and reconstruct thesecret image through stacking any two shares Di with D j, i ≠ j,1 ≤ i, j ≤ 3 and all three shares D1, D2, D3. In Fig. 4, we obtain theauthentication images through stacking verification share V i withshare D j, i ≠ j, 1 ≤ i, j ≤ 3. we obtain no information of the secretimage through stacking any two shares Di with D j, i ≠ j,1 ≤ i, j ≤ 3 and reconstruct the secret image only through stackingall three shares D1, D2, D3.

The experimental results of an MO's cheating attack and anMP's cheating attack in the proposed (3, 3)-CPDVCS are shown inFig. 5. The MO provided two fake shares FD1 and FD2 to theparticipant P3. Since there are no solid black patterns on thestacked results FD1 + V3 and FD2 + V3, FD1 and FD2 can bedetected as the fake shares. The participant P1 gave the shares D1and FD3 to the participant P3 with the aid of cheating. The numberof solid black patterns is incorrect and some solid black patternsare not complete on the stacked result FD3 + V3, which leads to thefailure of the cheating attack.

The experimental results of the collusion attack in the proposed(2, 3)-CPDVCS are shown in Fig. 6. FD1 is the fake share forgedby P2 and P3, which satisfies that the stacked result FD1 + D1 is thefake image. We observe that some solid black patterns areincomplete on the stacked result FD1 + V1 and the forged shareFD1 can be detected.

Fig. 2 Experimental results of the proposed (2, 3)-CPDVCS


Fig. 3 Experimental results of the proposed (2, 3)-CPPVCS

Fig. 4 Experimental results of the proposed (3, 3)-CPDVCS


217

5.2 Comparison

In Table 4, we give the comparison between the proposed methodand the two random authentication methods: Liu et al.’s [28] andChen et al.’s [30]. Though the contrast is reduced in the proposedmethod, the proposed method is applicable to both DVCS andPVCS. Another two methods are only applicable to DVCS.

Different from Liu et al.’s method and Chen et al.’s method, thepositions of authentication regions are random and uniform in theproposed method, which are determined by Latin squares, ratherthan secret pixels.

Fig. 5 Experimental results of an MO's cheating activity and an MP's cheating activity in the proposed (3, 3)-CPDVCS

Fig. 6 Experimental results of the collusion attack in the proposed (2, 3)-CPDVCS


6 ConclusionWithout pixel expansion, the proposed method provides randomand uniform regions authentication in each divided block of allshares. Latin squares guide random selection of authenticationregions. Probability modification embeds the authenticationpatterns in the stacking results of the corresponding shares andverification shares. Though the contrast is reduced, the proposedmethod is applicable to both DVCS and PVCS. We provetheoretically and experimentally that the proposed scheme is avalid CPVCS.

7 AcknowledgmentsMany thanks to the anonymous reviewers for their valuablecomments. This work was supported by NSFC No. 61671448, the“Strategic Priority Research Program” of the Chinese Academy ofSciences grant No. XDA06010701, the National Key R&DProgram of China with No. 2016YFB0800100 and the ScienticResearch Project of Beijing Municipal Educational Committeegrant No. 71E1610972.

8 References[1] Naor, M., Shamir, A.: ‘Visual cryptography’. EUROCRYPT'94, 1995,

(LNCS, 950), pp. 1–12[2] Ateniese, G., Blundo, C., Santis, A.D., et al.: ‘Visual cryptography for general

access structures’, Inf. Comput., 1996, 129, pp. 86–106[3] Ateniese, G., Blundo, C., Santis, A.D., et al.: ‘Extended capabilities for visual

cryptography’, ACM Theor. Comput. Sci., 2001, 250, (1–2), pp. 143–161[4] Liu, F., Wu, C.K.: ‘Embedded extended visual cryptography schemes’, IEEE

Trans. Inf. Forensics Sec., 2011, 6, (2), pp. 307–322[5] Ito, R., Kuwakado, H., Tanaka, H.: ‘Image size invariant visual

cryptography’, IEICE Trans. Fundam. Electron. Commun. Comput. Sci.,1999, E82-A, (10), pp. 2172–2177

[6] Yang, C.N.: ‘New visual secret sharing schemes using probabilistic method’,Pattern Recogn. Lett., 2004, 25, pp. 481–494

[7] Cimato, S., De Prisco, R., De Santis, A.: ‘Probabilistic visual cryptographyschemes’, Comput. J., 2006, 49, pp. 97–107

[8] Hou, Y.C., Tu, S.F.: ‘A visual cryptographic technique for chromatic imagesusing multipixel encoding method’, J. Res. Pract. Inf. Technol., 2005, 37, pp.179–191

[9] Liu, F., Guo, T., Wu, C.K., et al.: ‘Improving the visual quality of sizeinvariant visual cryptography scheme’, J. Vis. Commun. Image Represent.,2012, 23, pp. 331–342

[10] Shyu, S.: ‘Image encryption by random grids’, Pattern Recogn., 2007, 40, pp.1014–1031

[11] Chen, T., Tsao, K.: ‘Threshold visual secret sharing by random grids’, J. Syst.Softw., 2011, 84, pp. 1197–1208

[12] Guo, T., Liu, F., Wu, C.K.: ‘Threshold visual secret sharing by random gridswith improved contrast’, J. Syst. Softw., 2013, 86, (8), pp. 2094–2109

[13] Wu, X., Sun, W.: ‘Generalized random grid and its applications in visualcryptography’, IEEE Trans. Inf. Forensics Sec., 2013, 8, (9), pp. 1541–1553

[14] De Prisco, R., De Santis, A.: ‘On the relation of random grid anddeterministic visual cryptography’, IEEE Trans. Inf. Forensics Sec., 2014, 9,(4), pp. 653–665

[15] Yang, C.N., Wu, C.C., Wang, D.S.: ‘A discussion on the relationship betweenprobabilistic visual cryptography and random grid’, Inf. Sci., 2014, 278, pp.141–173

[16] Wang, R.Z., Hsu, S.F.: ‘Tagged visual cryptography’, IEEE Signal Process.Lett., 2011, 18, (11), pp. 627–630

[17] Ou, D.H., Wu, X.T., Dai, L., et al.: ‘Improved tagged visual cryptograms byusing random grids’. IWDW 2013 (LNCS, 8389), pp. 79–94

[18] Ren, Y.W., Liu, F., Lin, D.D., et al.: ‘A new construction of tagged visualcryptography scheme’. IWDW 2015 (LNCS, 9569), pp. 433–445

[19] Hou, Y.C., Quan, Z.Y.: ‘Progressive visual cryptography with unexpandedshares’, IEEE Trans. Circuits Syst. Video Technol., 2011, 21, (11), pp. 1760–1764

[20] Yan, X.H., Wang, S., Niu, X.M.: ‘Threshold construction from specific casesin visual cryptography without the pixel expansion’, Signal Process., 2014,105, pp. 389–398

[21] Liu, F., Yan, W.Q.: ‘Visual cryptography for image processing and security-Theory Methods and Applications’ (Springer-Verlag, 2014)

[22] Yang, C.N., Laih, C.S.: ‘Some new types of visual secret sharing schemes’.Proc. of National Computer Symp., 1999, vol. 3, pp. 260–268

[23] De Prisco, R., De Santis, A.: ‘Cheating immune (2, n)-threshold visual secretsharing’. SCN 2006 (LNCS, 4116), pp. 216–228

[24] De Prisco, R., De Santis, A.: ‘Cheating immune threshold visual secretsharing’, Comput. J., 2010, 53, (9), pp. 1485–1496

[25] Tsai, D.S., Chen, T.H., Horng, G.: ‘A cheating prevention scheme for binaryvisual cryptography with homogeneous secret images’, Pattern Recogn.,2007, 40, (8), pp. 2356–2366

[26] Horng, G., Chen, T.H., Tsai, D.S.: ‘Cheating in visual cryptography’, Des.Codes Cryptogr., 2006, 38, pp. 219–236

[27] Hu, C.M., Tzeng, W.G.: ‘Cheating prevention in visual cryptography’, IEEETrans. Image Process., 2007, 16, (1), pp. 36–45

[28] Liu, F., Wu, C.K., Lin, X.J.: ‘Cheating immune visual cryptography scheme’,IET Inf. Sec., 2011, 5, pp. 51–59

[29] Chen, Y.C., Horng, G., Tsai, D.S.: ‘Comment on ‘Cheating prevention invisual cryptography’’, IEEE Trans. Image Process., 2012, 21, (7), pp. 3319–3323

[30] Chen, Y.C., Tsai, D.S., Horng, G.: ‘A new authentication based cheatingprevention scheme in Naor – Shamir's visual cryptography’, J. Vis. Commun.Image Represent., 2012, 23, pp. 1225–1233

Table 4 Comparison between the related methods and theproposed methodProperties Methods

Liu et al.[28]

Chen et al.[30]

The proposed

pixel expansion m m mextra verificationshare

NO YES YES

restriction on k NO k = 2 NOextension to (k, n)-PVCS

NO NO YES

contrast α h − lm

h − lm

(3/4)t(h − l)m

(t ≥ k)


219

scheme using latin square , feng liu , teng guo , rongquan...

Documents