Skip to main content

Applying cheating identifiable secret sharing scheme in multimedia security


In (k,n) secret sharing scheme, one secret is encrypted into n shares in such a way that only k or more shares can decrypt the secret. Secret sharing scheme can be extended into the field of multimedia that provides an efficient way to protect confidential information on multimedia. Secret image sharing is just the most important extension of secret sharing that can safely guard the secrecy of images among multiple participants. On the other hand, cheating detection is an important issue in traditional secret sharing schemes that have been discussed for many years. However, the issue of cheating detection in secret image sharing has not been discussed sufficiently. In this paper, we consider the cheating problem in the application of secret image sharing schemes and construct a (k,n) secret image sharing scheme with the ability of cheating detection and identification. Our scheme is capable of identifying cheaters when k participants involve in reconstruction. The cheating identification ability and size of shadow in the proposed scheme are improved from the previous cheating identifiable secret image sharing scheme.

1 Introduction

(k,n) secret sharing (SS) scheme was first proposed by Shamir [1] in 1979 to safeguard secret information among a group of participants. In Shamir’s scheme, a secret s is divided into n shares v1,v2,...,vn using a k−1 degree polynomial in such a way that any k−1 or less shares get no information about the secret s and any k or more shares can reconstruct the secret s efficiently. In [2], the researchers designed reliable and secure devices that can realize Shamir’s SS [1]. In 2002, Thien and Lin combined Shamir’s SS scheme with image and proposed a secret image sharing (SIS) scheme [3] that can protect information on secret image among multiple users. After years of research, many SIS schemes were constructed, and all existing SIS schemes can be mainly divided into two categories: one is polynomial-based SIS schemes [46], and the other is visual cryptography (VC)-based schemes [79]. Polynomial-based SIS schemes can reconstruct lossless image with reduced shadow size; the image reconstruction in VC-based SIS schemes can be simply accomplished by human visual system without any computation. However, the reconstructed image is lossy and the size of shadow is expanded from the original image.

The cheating problem in SS schemes was first introduced by Tompa and Woll [10] in 1989. They considered the scenario that some dishonest participants (cheaters) pool fake shares when reconstructing the secret. Through this method, the cheaters can get the valid secret exclusively; the other honest participants can only decode a forged secret. Many works have focused on solving cheating problem in SS schemes. Some of them [1113] were interested in detecting the cheating behavior, and others [1416] focused on not only detecting the cheating, but also identifying the cheaters. The cheating identifiable schemes have stronger capability to resist cheating, and it results that the shares are larger and the schemes are more complicated than those cheating detectable schemes.

As a result, the cheating problem is also an important issue in the field of SIS schemes. However, this issue has not been discussed sufficiently in SIS so far. In the works [1719], some SIS schemes with steganography and authentication were capable of detecting or identifying the cheating behavior. However, those SIS schemes were not based on Shamir’s scheme and the capabilities of cheating detection or identification were not strong enough to prevent the cheating. In [20], Liu et al. proposed a SIS with the capability of cheating detection, but the identification of cheaters is still unknown. In [21], Yang et al. proposed a SIS scheme that can identify cheaters during reconstruction. In their scheme, shadows are generated from bivariate polynomial and each shadow has extra bits which is used for authentication. The cheating identification is based on the property of symmetry in bivariate polynomial; however, the power on identifying cheaters in [21] is limited.

In this paper, we focus on the cheating problem in the fundamental polynomial-based SIS [3]. Since cheating identifiable scheme has much stronger power to prevent cheating behavior, we construct a (k,n) SIS scheme capable of identifying up to \(\left \lfloor \frac {k-2}{2}\right \rfloor \) cheaters. The rest of this paper is organized as follows. In Section 2, we introduce some related works, which includes Shamir’s (k,n) SS scheme, polynomial-based SIS scheme, and the model of cheating identification in SS scheme. In Section 3, we construct a (k,n) SIS scheme capable of cheating identification, and the theoretical analysis is also provided in this section. In Section 4, we use an example to illustrate the cheating identification in the proposed scheme and give a comparison between the scheme in [21] and the proposed scheme. Section 5 gives the conclusion of this paper.

2 Related works

2.1 Shamir’s (k,n) SS scheme

A (k,n) SS scheme is an approach where a secret is decrypted into n shares, in such way that any k or more shares can reconstruct the secret and fewer than k shares get nothing about the secret. More formally, in secret sharing scheme, there exist n participants \(\mathcal {P}=\{P_{1},P_{2},...,P_{n}\}\) and a dealer \(\mathcal {D}\). A (k,n) secret sharing scheme consists of two phases:

  1. 1

    Sharing phase: During this phase, the dealer \(\mathcal {D}\) divides the secret s into n shares v1,v2,...,vn and sends each share vi to a participant Pi.

  2. 2

    Reconstruction phase: During this phase, a group of at least k participants submit their shares to reconstruct the secret.

In the sharing phase, the dealer \(\mathcal {D}\) computes n shares in such a way that satisfies the following conditions:

  1. 1

    Correctness: Any set of at least k shares can reconstruct the valid secret.

  2. 2

    Secrecy: Any fewer than k shares have no information about the secret.

Shamir’s (k,n) SS scheme is shown in the following Scheme 1.

Scheme 1: Shamir’s (k,n) SS scheme

  • Sharing phase:

    1. 1

      The dealer \(\mathcal {D}\) chooses a k−1 degree polynomial ψ(x)GF(q)[X] which satisfies s=ψ(0)GF(q).

    2. 2

      The dealer \(\mathcal {D}\) computes n shares vi=ψ(i),i=1,2...,n, and sends each share vi to a participant Pi.

  • Reconstruction phase:

    1. 1

      m(≥k) participants (say P1,P2...,Pm) submit their shares v1,v2...,vm together.

    2. 2

      Computing the interpolated polynomial ψ(x) on v1,v2...,vm by the equation: \(\psi (x)={\sum \nolimits }^{m}_{i=1}\left (v_{i}\prod \nolimits _{u\neq i}\frac {x-u}{i-u}\right)\). Then the secret s=ψ(0).

2.2 Cheating identification in SS scheme

Tompa and Woll [10] first introduced the cheating problem in secret sharing schemes, for instance, some cheaters submit fake shares during the reconstruction phase, which makes the honest participants reconstruct a forged secret and the cheaters can get the real secret exclusively. Cheating identification is a strong strategy to resist such cheating. The model of cheating identifiable secret sharing scheme is shown as follows:

  • Sharing phase: During this phase, the dealer \(\mathcal {D}\) divides the secret s into n shares v1,v2...,vn and sends each share vi to a user Pi.

  • Reconstruction phase: During this phase, a group of m users (mk) submit their shares to reconstruct the secret.

    1. 1

      A public cheating identification algorithm is applied on these m shares to identify cheaters.

    2. 2

      Let L be the set of users who are identified to be cheaters using cheating identification algorithm.

      If (m−|L|)≥k, reconstruct the secret s from those shares of users who are not in L, and output (s,L);

      If (m−|L|)<k, output L.

2.3 Polynomial-based SIS

In [3], Thien and Lin proposed a remarkable (k,n) SIS which was based on Shamir’s SS scheme. An image O is made up of multiple pixels, and the gray value of each pixel is in GF(251). In fact, the range of gray scale is [0,255]; for each pixel larger than 250, they are replaced by the value 250. Therefore, the reconstructed image would be of a little quality distortion from the original image. However, in majority cases, this quality distortion can be omitted with large number of pixels in an image. If all the pixels in an image are treated as secrets, a polynomial-based SIS can be extended from Shamir’s SS. Thien-Lin’s SIS scheme consists of two phases: shadow generation phase and image reconstruction phase. In the shadow generation phase, a dealer regards a secret image O as input and outputs n shadows S1,S2...,Sn; during image recovery phase, any set of m shadows kmn reconstruct the secret image O.

Scheme 2: Thien-Lin’s (k,n) SIS

Shadow Generation phase:

Input secret image O, output n shadows S1,S2...,Sn

  1. 1

    The dealer divides O into l-non-overlapping k-pixel blocks, B1,B2...,Bl.

  2. 2

    For k pixels aj,0,aj,1...,aj,k−1GF(251) in each block Bj,j[1,l], the dealer generates a k−1 degree polynomial ψj(x)GF(251)[X], namely, ψj(x)=aj,0+aj,1x+aj,2x2+...,+aj,k−1xk−1, and computes n pixel-shares vj,1=ψj(1),vj,2=ψj(2)...,vj,n=ψj(n),j[1,l] as Shamir’s secret sharing scheme.

  3. 3

    Outputs n shadows Si=v1,iv2,i,...,vl,i,i=1,2...,n, the symbol is the combination of pixel-shares.

Image reconstruction phase:

On input m shadows S1,S2...,Sm.(mk).

  1. 1

    Extract the pixel-shares v1,j,v2,j...,vm,j,j[1,l] from S1,S2...,Sm.

  2. 2

    Using the approach of Shamir’s scheme, and reconstructing the polynomial ψj(x)=aj,0+aj,1x+aj,2x2+...,+aj,k−1xk−1 from v1,j,v2,j...,vm,j,j[1,l]. The block Bj=aj,0aj,1...,aj,k−1.

  3. 3

    Outputs O=B1B2,...,Bl.

It is obvious that Scheme 2 satisfies the k-threshold property: k or more shadows can reconstruct entire image; less than k shadows get nothing about secret image. The size of each shadow in Scheme 2 is \(\frac {1}{k}\) times of the original image.

3 Methods

In this section, we consider the cheating problem in Scheme 2 and then proposed a cheating identifiable SIS that has the ability of identifying cheaters; then, the theoretical analysis is discussed to prove the correctness of the proposed work.

3.1 The proposed scheme

Suppose that during the image reconstruction phase, cheaters can submit forged shadows. It results that the honest participants can only get a fake secret image, while the cheaters can even reconstruct the secret image exclusively. In order to prevent this problem, we construct a (k,n) SIS with cheating identification under the model in Section 2.2. Our scheme is based on Thien-Lin’s fundamental scheme which can be also extended in other polynomial-based SIS schemes. Our scheme is shown in the following Scheme 3.

Scheme 3: (k,n) SIS scheme with cheating identification

Shadow Generation Phase: Input a secret image O, output n shadows S1,S2,...,Sn.

  1. 1

    The dealer divides O into l-non-overlapping \(k+\left \lfloor \frac {k-2}{2}\right \rfloor \)-pixel blocks, B1,B2,...,Bl. (Let \(\omega =\left \lfloor \frac {k-2}{2}\right \rfloor \) in the rest of this paper)

  2. 2

    For each block Bi,i[1,l], there are k+ω secret pixels ai,0,ai,1,...,ai,k−1 and bi,0,bi,1,...,bi,ω−1GF(251). The dealer generates a k−1 degree polynomial ψi(x)=ai,0+ai,1x+...,+ai,k−1xk−1GF(251)[X].

  3. 3

    The dealer chooses a random integer γi, and computes kω pixels \(\phantom {\dot {i}\!}b_{i,\omega },b_{i,\omega +1,..,b_{i,k-1}}\) which satisfy that: ai,ω+γibi,ω=0,ai,ω+1+γibi,ω+1=0,...,ai,k−1+γibi,k−1=0 over GF(251). Then the dealer generates another k−1 degree polynomial φi(x)=bi,0+bi,1x+...,+bi,k−1xk−1. It also implies that ηi(x)=ψi(x)+γiφi(x) is of degree ω−1.

  4. 4

    For each block Bi,i[1,l], the dealer computes pixel-shares vi,j={mi,j,di,j},mi,j=ψi(j),di,j=φi(j),j=1,2...,n for each participant Pj. The shadow Sj for Pj is Sj=v1,jv2,j,...,vt,j.

Image Reconstruction Phase: Input k shadows, without loss of generality (S1,S2,...,Sk)

  1. 1

    Extract the pixel-shares vi,j=(mi,j,di,j),i=1,2...,l,j=1,2...,k from S1,S2...,Sk.

  2. 2

    For each group of vi,1,vi,2,...,vi,k,i[1,l], using Lagrange interpolation to reconstruct ψi(x) and φi(x) from mi,1,mi,2,...,mi,k and di,1,di,2,...,di,k respectively.

    1. (a)

      If there exists a ω−1 polynomial ηi(x) and an integer γi, namely ηi(x)=ψi(x)+γiφi(x),i[1,l], recover the block Bi=(ai,0,ai,1,...,ai,k−1,bi,0,bi,1,...,bi,ω−1),i=1,2,...,l. The image O is reconstructed as O=B1B2,...,Bl.

    2. (b)

      Otherwise, if there exists no integer γj,j[1,l] which satisfies that ψj(x)+γjφj(x) with degree ω−1, using the following Algorithm 1 to identify cheaters.

The cheating identification process is described in Algorithm 1. For simplicity, it takes k pixel-shares vi=(mi,di),i=1,2,...,k as input and outputs the set of cheaters.

Algorithm 1: Cheating identification: input vi=(mi,di),i=1,2,...,k; output the set \(\mathcal {X}\) of cheaters.

  • Generating \(C^{\omega +1}_{k}\) subsets \(\varepsilon _{1},\varepsilon _{2},...,\varepsilon _{C^{\omega +1}_{k}}\) on the set of k pixel-shares {v1,v2,...,vk}.

  • For each subset \(\varepsilon _{i},i\in \left [1,C^{\omega +1}_{k}\right ]\), computing its corresponding checking polynomial \(\eta ^{\prime }_{i}(x)\). For example, ε1={v1,v2,...,vω,vω+1}, compute two ω−th interpolated polynomials \(\psi ^{\prime }_{1}(x)\) and \(g^{\prime }_{1}(x)\) on m1,m2,...,mω+1 and d1,d2,...,dω,dω+1 respectively. Figure out an integer \(\gamma ^{\prime }_{1}\) such that \(\eta ^{\prime }_{1}(x)=\psi ^{\prime }_{1}(x)+\gamma ^{\prime }_{1}g^{\prime }_{1}(x)\) is of degree ω−1. Then \(\eta ^{\prime }_{1}(x)\) is the checking polynomial on the subset ε1.

  • Figure out the majority polynomial ηm(x) among all the \(C^{\omega +1}_{k}\) checking polynomials. Suppose ε1,ε2,...,εw are all the w subsets whose checking polynomial equals to the majority polynomial ηm(x), then the set of cheaters is presented by \(\mathcal {X}=\left \{P_{1},P_{2},...,P_{k}\right \}-\left (\varepsilon _{1}\bigcup \varepsilon _{2},...,\bigcup \varepsilon _{w}\right)\).

In Thien-Lin’s scheme, it can be noticed that the size of the shadow is \(\frac {1}{k}\) times of the secret image. In our scheme, the pixel-share vi,j=(mi,j,di,j) are generated from each k+ω-pixels block; therefore, the size of the shadow in our scheme is \(\frac {2}{k+\omega }\) times of the secret image O. The most complicated operation of cheating identification in our scheme is computing \(C^{\omega +1}_{k}\) polynomials with ω−1 degree; thus, the time complexity is \(O\left (C^{\omega +1}_{k}\ast \omega ^{2}\right)\).

Observing that in the proposed scheme, each block of the secret image is shared using Shamir’s (k,n) secret sharing scheme. Therefore, our proposed scheme is a perfect (k,n) threshold scheme, namely, k or more shadows can reconstruct the image, while k−1 or less shadows get no information about the image.

3.2 Theoretical analysis

The capability of cheating identification of the proposed scheme is summarized by the following lemma and theorem. Since in our scheme, the secret image is divided into multiple blocks and each block is encrypted into shares using the same approach, we use one block of k+u pixels instead of the entire image to analyze its cheating identification ability.

Lemma 1

Sharing a (k+ω)-pixel block B=(a0,a1,...,ak−1,b0,b1,...,bω−1) as shown in Scheme 2, any ω+1 participants can get γ and ω−1 degree polynomial η(x). The dealer D decides the parameters of η(x). (η(x)=γφ(x)+ψ(x), any ω+1 participants can get η(x) and γ without acknowledgment on ψ(x) and φ(x)) but ω participants are unable to get any information about γ and η(x).


Supposing ω+1 participants are P1,P2,...,Pω+1, respectively, and they possess ω+1 pixel-shares, vi={mi,di},i=1,2,...,ω+1. The ω+1 points (1,m1),(2,m2),...,(ω+1,mω+1) determine an interpolated polynomial ψ(x). And another interpolated polynomial φ(x) is determined by ω+1 points (1,d1),(2,d2),...,(ω+1,dω+1). A conclusion can be made easily, ω+1 points (1,m1),(2,m2),...,(ω+1,mω+1) are linear independent; otherwise, the interpolated polynomial on (1,m1),(2,m2),...,(k,mk) would be less than k−1, since the n points (1,m1),(2,m2),...,(k,mk) deduce a interpolated polynomial with k−1 degree ψ(x) and k>ω+1. So, ψ(x) and φ(x) are both ω-degree interpolated polynomials.

Now, we have η(x)=γφ(x)+ψ(x) and η(x)=ψ(x)+γφ(x). Let R(x)=η(x)−η(x). Therefore, we get:

$$ R(x)=\psi(x)-\psi^{\prime}(x)+\gamma\varphi(x)-\gamma^{\prime}\varphi^{\prime}(x). $$

We get ψ(i)=ψ(i),i=1,2,...,ω+1, since ψ(x) and ψ(x) must pass through (i,mi),i=1,2,...,ω+1. Similarly, we get φ(i)=φ(i),i=1,2,...,ω+1. Together with Eq. (1), we can get that R(i)=(γγ)φ(i),i=1,2,...,ω+1, which means that R(x) intersects (γγ)φ(x) at ω+1 points, since both R(x) and (γγ)φ(x) are of degree no more than ω.

Thus, we get a conclusion that:

$$ R(x)=\left(\gamma-\gamma^{\prime}\right)\varphi^{\prime}(x). $$

Obviously, R(x)=η(x)−η(x), where R(x) is an interpolated polynomial, and the degree which is no more than ω−1. Similarly, the φ(x) is of degree ω exactly. Therefore, we get that γ=γ and η(x)=η(x). Otherwise, it would contradict to Eq. (2).

Next, we prove that γ and η(x) cannot be gotten by ω shareholders. The φ(x) is dependent with ψ(x), such that there exists a ω−1 degree polynomial η(x) and a value γ, which satisfies η(x)=ψ(x)+γφ(x). If we consider the ω coefficients of η(x) and the value γ as ω+1 unknowns, then each participant Pi can build a linear equation η(i)=mi+γ·di on these ω+1 unknowns using their share (mi,di). As a result, ω participants can build ω linear equations on these ω+1 unknowns. These ω+1 unknowns cannot be figured out, according to the property of linear equations. Otherwise, by using their ω shares, ω participants can only get two ω−1-th degree interpolated polynomials ψ′′(x) and φ′′(x). η(x) and γ can be denoted as

$$ \eta(x)=\gamma\varphi^{\prime\prime}(x)+\psi^{\prime\prime}(x). $$

However, η(x),ψ′′(x) and φ′′(x) are ω−1-degree interpolated polynomials. According to Eq. (3), with probabilities \(\frac {1}{p}\), each element e in GF(p) could be γ. Therefore, γ and η(x) cannot be gotten by ω shareholders. End proof. □

Theorem 1

If the number t of cheaters satisfies \(t\leq \omega =\left \lfloor \frac {k-2}{2}\right \rfloor \), these cheaters can be identified in the proposed scheme.


According to Lemma 1, γ and η(x) can be obtained by ω+1 cheaters using their valid pixel-shares. Among these cheaters, the Pj is a critical cheater, which can even forge his pixel-share \(v^{\prime }_{j}=\left (m^{\prime }_{j},d^{\prime }_{j}\right)\) where \(m^{\prime }_{j}\neq m_{j}\) to satisfy \(m^{\prime }_{j}+\gamma \cdotp d^{\prime }_{j}=\eta (j)\). Each combination of ω+1 submitted pixel-shares including \(v^{\prime }_{j}\) deduces an identical checking polynomial η(x), during secret reconstruction and cheater identification, the cheater Pj succeeds in cheating.

As illustrated in Lemma 1, when \(t\leq \omega =\left \lfloor \frac {k-2}{2}\right \rfloor, \omega \) cheaters can get no information about γ. Thus, forged shares cannot be made successfully by any ω or less cheaters, to avoid identification. A checking polynomial can be generated by any ω+1 participants, according to Lemma 1, and \(t\leq \omega =\left \lfloor \frac {k-2}{2}\right \rfloor \). There are ω+2 valid shares selected from k submitted shares at least. \(C^{\omega +1}_{\omega +2}=\omega +2\) valid checking polynomials can be generated in CI. Without loss of generality, supposing P1 is a critical cheater who releases a forged pixel-share \(v^{\prime }_{1}\). If and only if there is a set of ω+2 submitted pixel-shares including \(v^{\prime }_{1}\), and this set of pixel-shares has the property, a same checking polynomial η1(x) can be made by each ω+1 combined shares.

The ω+2 submitted pixel-shares are \(v^{\prime }_{1},v^{\prime }_{1},...,v^{\prime }_{t},v_{t+1},...,v_{i_{\omega +2}}\) where P1,P2,...,Pt are t cheaters and P1 is a critical cheater who knows \(v^{\prime }_{2},v^{\prime }_{3},...,v^{\prime }_{t}\). η1(x) and the value γ1 are made by \(v^{\prime }_{1},v^{\prime }_{2},...,v^{\prime }_{t},v_{t+1},...,v_{\omega +1}\), then vω+2=(mω+2,dω+2) has to satisfy

$$ m_{\omega+2}+\gamma_{1}d_{\omega+2}=\eta_{1}(\omega+2). $$

It is noticed that the t cheaters can get no information about γ1,η1(x) and vω+2=(mω+2,dω+2), and the probability of (4) is \(\frac {1}{p}\). In other words, the successful cheating probability of P1 is \(\frac {1}{p}\). End proof. □

4 Results and discussion

In this part, we show the experimental results and give a comparison between our scheme and other cheating detectable SIS. In this example, let the threshold is (k,n)=(6,n), and the secret image O is divided into l blocks where each block includes \(k+\left \lfloor \frac {k-2}{2}\right \rfloor =8\) secret pixels. Assuming one block B consists of the following 8 pixels: (a0,...,a5,b0,b1)=(57,68,90,231,42,89,124,186), the dealer selects an integer γ=10, then generates two k−1=5 degree polynomials: ψ(x)=57+68x+90x2+231x3+42x4+89x5 and φ(x)=124+186x+242x2+2x3+46x4+217x5, where ai+γ·bi=0,i=2,3,4,5. Supposing P1,P2,...,P6 participate in image reconstruction, the pixel-shares are v1=(75,64),v2=(148,124),v3=(209,135),v4=(220,151),v5=(59,134),v6=(160,141).

If all these 6 participants are honest, they submit real pixel-shares in image reconstruction, and two polynomials ψ(x)=57+68x+90x2+231x3+42x4+89x5 and φ(x)=124+186x+242x2+2x3+46x4+217x5 can be reconstructed, respectively. They can also find γ=10, such that η(x)=ψ(x)+γ·φ(x)=42+171x is of degree \(\left \lfloor \frac {k-2}{2}\right \rfloor -1\). It means that there is no cheating behavior, and the pixel-block B=(57,68,90,231,42,89,124,186) is reconstructed.

Now we assume P1,P2 are two cheaters \(\left (t=2\leq \left \lfloor \frac {k-2}{2}\right \rfloor \right)\) who submit fake pixel-shares \(v_{1}^{\prime }=(98,109),v_{2}^{\prime }=(215,81)\) in image reconstruction. The cheating behavior can be easily detected using our scheme. During cheating identification algorithm, all the 4 subsets which contain 3 honest participants can compute the same checking polynomial η(x)=42+171x. For example, (P3,P4,P5) can get two interpolated polynomials ψ(x)=148+111x+165x2,φ(x)=140+6x+109x2. Then, they can figure out a unique integer γ=10 such that η(x)=ψ(x)+γ·φ(x)=42+171x. For another subset of 3 honest participants (P3,P4,P6), they can reconstruct two interpolated polynomials ψ(x)=12+23x+70x2,φ(x)=3+65x+244x2 from their pixel-shares. Then, they can also figure out the integer r=10 such that η(x)=ψ(x)+γ·φ(x)=42+171x. On the other side, each subset of three participants which contain P1 or P2 deduces different checking polynomials. Therefore, η(x)=ψ(x)+γ·φ(x)=42+171x is regarded as the majority polynomial, and the cheaters can be identified successfully accordingly.

In [21], Yang et al. proposed an authentication approach in secret image sharing which is also capable of identifying cheaters during secret reconstruction phase. The scheme in [21] is also based on Thien-Lin’s scheme [3], but uses symmetric bivariate polynomial to generate shadows. It encrypts each \(\frac {k(k+1)}{2}\) secret pixels into k pixel-shares, and the size of the shadow is \(\frac {2}{k+1}\) times of the secret image. The shadow size in our scheme is \(\frac {2}{k+\omega }\), which is smaller than the size in Yang et al.’s scheme when \(\omega =\left \lfloor \frac {k-2}{2}\right \rfloor \geq 1\). In cheating identification, not only the k participants, but also the other nk participants work together to vote for the k participants using the property of symmetry bivariate polynomial. The participants who get less than \(\left \lfloor \frac {n-1}{2}\right \rfloor \) votes are identified as cheaters. However, in most cheating identifiable secret sharing schemes, the cheating identification is carried out only by the participants in secret reconstruction, and it is not practical to involve other nk participants in cheating identification. In fact, if k participants work together to identify cheaters in Yang et al.’s scheme, the cheaters cannot be identified since the cheater can always get more votes than honest participants. The comparison between Yang et al.’s scheme and the proposed scheme is shown in the following Table 1. The symbol CI in Table 1 means the capability of cheating identification.

Table 1 Comparison between the proposed scheme and Yang et al.’s scheme

We can also use 512×512 Lena (Fig. 1) as the secret image O to generate shadows using our (4,7) SIS scheme with cheating identification. The n=7 shadows are shown in Fig. 2 where each shadow has \(\frac {2}{k+\left \lfloor \frac {k-2}{2}\right \rfloor }=\frac {2}{5}\) times of the secret image. Each 4 participants can reconstruct the image that can identify \(\left \lfloor \frac {k-2}{2}\right \rfloor =1\) cheaters.

Fig. 1
figure 1

512×512 secret image

Fig. 2
figure 2

Seven shadows on the secret image

5 Conclusion

In this paper, we consider the well-known cheating problem in polynomial-based (k,n) SIS, such that a group of malicious participants submit fake shadows during image reconstruction. In order to prevent such cheating behavior, we construct a (k,n) SIS scheme with cheating identification under the model of cheating identifiable SS scheme. Our scheme is capable of identifying \(\left \lfloor \frac {k-2}{2}\right \rfloor \) cheaters when k participants involve in image reconstruction. In addition, the proposed scheme is based on the landmark Thien-Lin’s polynomial-based SIS scheme, which can be easily extended into other polynomial-based SIS schemes. Both the size of shadow and the capability of cheating identification are enhanced from previous SIS schemes with cheating identification.

Availability of data and materials

Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.



Secret sharing


Secret image sharing


Visual cryptography


  1. A. Shamir, How to share a secret. Commun. ACM. 22(11), 612–613 (1979).

    Article  MathSciNet  Google Scholar 

  2. Z. Wang, M. Karpovsky, L. Bu, Design of reliable and secure devices realizing Shamir’s secret sharing. IEEE Trans. Comput.65(8), 2443–2455 (2016).

    Article  MathSciNet  Google Scholar 

  3. C. C. Thien, J. C. Lin, Secret image sharing. Comput. Graph.26(5), 765–770 (2002).

    Article  Google Scholar 

  4. Y. X. Liu, C. N. Yang, Q. D. Sun, Y. C. Chen, (k,n) scalable secret image sharing with multiple decoding options. J. Intell. Fuzzy Syst.38(1), 219–228 (2020).

    Article  Google Scholar 

  5. Y. X. Liu, C. N. Yang, Q. D. Sun, Thresholds based image extraction schemes in big data environment in intelligent traffic management. IEEE Trans. Intell. Transp. Syst. (2020).

  6. Y. X. Liu, C. N. Yang, C. M. Wu, Q. D. Sun, W. Bi, Threshold changeable secret image sharing scheme based on interpolation polynomial. Multimed. Tools Appl.78(13), 18653–18667 (2019).

    Article  Google Scholar 

  7. R. Z Wang, Region incrementing visual cryptography. IEEE Sig. Process. Lett.16(8), 659–662 (2009).

    Article  Google Scholar 

  8. C. N. Yang, H. W. Shih, C. C. Wu, L. Harn, k out of n region incrementing scheme in visual cryptography. IEEE Trans. Circ. Syst. Video Technol.22(5), 799–809 (2012).

    Article  Google Scholar 

  9. C. N Yang, Y. C Lin, C. C Wu, Region in region incrementing visual cryptography scheme. Proc. IWDW2012, LNCS. 7809:, 449–463 (2013).

    Google Scholar 

  10. M. Tompa, H. Woll, How to share a secret with cheaters. J. Cryptol.1(3), 133–138 (1989).

    Article  MathSciNet  Google Scholar 

  11. P. Y. Lin, Chang C.C., Cheating resistance and reversibility-oriented secret sharing mechanism. IET Inf. Secur.5(2), 81–92 (2011).

    Article  Google Scholar 

  12. S. Obana, T. Araki, in Proceedings of ASIACRYPT, LNCS 4284. Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution (SpringerHeidelberg, 2006), pp. 364–379.

    Google Scholar 

  13. W. Ogata, Kurosawa K., Stinson D.R., Optimum secret sharing scheme secure against cheating. SIAM J. Discret. Math.20(1), 79–95 (2006).

    Article  MathSciNet  Google Scholar 

  14. K. Kurosawa, S. Obana, W. Ogata, in Proceedings of CRYPTO, LNCS 563. t-cheater identifiable (k,n) secret sharing schemes (SpringerHeidelberg, 1995), pp. 410–423.

    Google Scholar 

  15. S. Obana, in Proceedings of EUROCRYPT, LNCS 6632. Almost optimum t-cheater identifiable secret sharing schemes (SpringerHeidelberg, 2011), pp. 284–302.

    Google Scholar 

  16. L. Harn, C. L. Lin, Detection and identification in (t,n) secret sharing scheme. Des. Code Crypt.52(1), 15–24 (2009).

    Article  MathSciNet  Google Scholar 

  17. C. C. Lin, W. H. Tsai, Secret image sharing with steganography and authentication. J. Syst. Softw.73:, 405–414 (2004).

    Article  Google Scholar 

  18. C. N. Yang, T. S. Chen, K. H. Yu, C. C. Wang, Improvements of image sharing with steganography and authentication. J. Syst. Softw.80:, 1070–1076 (2007).

    Article  Google Scholar 

  19. C. C. Chang, Y. P. Hsieh, C. H. Lin, Sharing secrets in stego images with authentication. Pattern Recog.41:, 3130–3137 (2008).

    Article  Google Scholar 

  20. Y. X. Liu, Q. D. Sun, C. N. Yang, (k,n) secret image sharing scheme capable of cheating detection. EURASIP J. Wirel. Commun. Netw.2018:, 72 (2018).

    Article  Google Scholar 

  21. C. N. Yang, J. F. Quyang, L. Harn, Steganography and authentication in image sharing without party bits. Opt. Commun.285:, 1725–1735 (2012).

    Article  Google Scholar 

Download references


We want to thank Professor Lein Harn from the University of Missouri-Kansas city for his help in English improvement.


The research presented in this paper is supported by the National Key R&D Program of China under No. 2018YFB1800100.

Author information

Authors and Affiliations



Zheng Ma provides the main concept, Yan Ma and Xiaohong Huang design the algorithms, Manjun Zhang gives the experiments, and Yanxiao Liu makes the comparisons. The authors read and approved the final manuscript.

Corresponding author

Correspondence to Liu Yanxiao.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ma, Z., Ma, Y., Huang, X. et al. Applying cheating identifiable secret sharing scheme in multimedia security. J Image Video Proc. 2020, 42 (2020).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: