Applying cheating identifiable secret sharing scheme in multimedia security

In (k,n) secret sharing scheme, one secret is encrypted into n shares in such a way that only k or more shares can decrypt the secret. Secret sharing scheme can be extended into the field of multimedia that provides an efficient way to protect confidential information on multimedia. Secret image sharing is just the most important extension of secret sharing that can safely guard the secrecy of images among multiple participants. On the other hand, cheating detection is an important issue in traditional secret sharing schemes that have been discussed for many years. However, the issue of cheating detection in secret image sharing has not been discussed sufficiently. In this paper, we consider the cheating problem in the application of secret image sharing schemes and construct a (k,n) secret image sharing scheme with the ability of cheating detection and identification. Our scheme is capable of identifying cheaters when k participants involve in reconstruction. The cheating identification ability and size of shadow in the proposed scheme are improved from the previous cheating identifiable secret image sharing scheme.

(k,n) secret sharing (SS) scheme was first proposed by Shamir [1] in 1979 to safeguard secret information among a group of participants. In Shamir’s scheme, a secret s is divided into n shares v₁,v₂,...,v_n using a k−1 degree polynomial in such a way that any k−1 or less shares get no information about the secret s and any k or more shares can reconstruct the secret s efficiently. In [2], the researchers designed reliable and secure devices that can realize Shamir’s SS [1]. In 2002, Thien and Lin combined Shamir’s SS scheme with image and proposed a secret image sharing (SIS) scheme [3] that can protect information on secret image among multiple users. After years of research, many SIS schemes were constructed, and all existing SIS schemes can be mainly divided into two categories: one is polynomial-based SIS schemes [4–6], and the other is visual cryptography (VC)-based schemes [7–9]. Polynomial-based SIS schemes can reconstruct lossless image with reduced shadow size; the image reconstruction in VC-based SIS schemes can be simply accomplished by human visual system without any computation. However, the reconstructed image is lossy and the size of shadow is expanded from the original image.

The cheating problem in SS schemes was first introduced by Tompa and Woll [10] in 1989. They considered the scenario that some dishonest participants (cheaters) pool fake shares when reconstructing the secret. Through this method, the cheaters can get the valid secret exclusively; the other honest participants can only decode a forged secret. Many works have focused on solving cheating problem in SS schemes. Some of them [11–13] were interested in detecting the cheating behavior, and others [14–16] focused on not only detecting the cheating, but also identifying the cheaters. The cheating identifiable schemes have stronger capability to resist cheating, and it results that the shares are larger and the schemes are more complicated than those cheating detectable schemes.

As a result, the cheating problem is also an important issue in the field of SIS schemes. However, this issue has not been discussed sufficiently in SIS so far. In the works [17–19], some SIS schemes with steganography and authentication were capable of detecting or identifying the cheating behavior. However, those SIS schemes were not based on Shamir’s scheme and the capabilities of cheating detection or identification were not strong enough to prevent the cheating. In [20], Liu et al. proposed a SIS with the capability of cheating detection, but the identification of cheaters is still unknown. In [21], Yang et al. proposed a SIS scheme that can identify cheaters during reconstruction. In their scheme, shadows are generated from bivariate polynomial and each shadow has extra bits which is used for authentication. The cheating identification is based on the property of symmetry in bivariate polynomial; however, the power on identifying cheaters in [21] is limited.

In this paper, we focus on the cheating problem in the fundamental polynomial-based SIS [3]. Since cheating identifiable scheme has much stronger power to prevent cheating behavior, we construct a (k,n) SIS scheme capable of identifying up to \(\left \lfloor \frac {k-2}{2}\right \rfloor \) cheaters. The rest of this paper is organized as follows. In Section 2, we introduce some related works, which includes Shamir’s (k,n) SS scheme, polynomial-based SIS scheme, and the model of cheating identification in SS scheme. In Section 3, we construct a (k,n) SIS scheme capable of cheating identification, and the theoretical analysis is also provided in this section. In Section 4, we use an example to illustrate the cheating identification in the proposed scheme and give a comparison between the scheme in [21] and the proposed scheme. Section 5 gives the conclusion of this paper.

2.1 Shamir’s (k,n) SS scheme

A (k,n) SS scheme is an approach where a secret is decrypted into n shares, in such way that any k or more shares can reconstruct the secret and fewer than k shares get nothing about the secret. More formally, in secret sharing scheme, there exist n participants \(\mathcal {P}=\{P_{1},P_{2},...,P_{n}\}\) and a dealer \(\mathcal {D}\). A (k,n) secret sharing scheme consists of two phases:

1. 1

   Sharing phase: During this phase, the dealer \(\mathcal {D}\) divides the secret s into n shares v₁,v₂,...,v_n and sends each share v_i to a participant P_i.

2. 2

   Reconstruction phase: During this phase, a group of at least k participants submit their shares to reconstruct the secret.

In the sharing phase, the dealer \(\mathcal {D}\) computes n shares in such a way that satisfies the following conditions:

1. 1

   Correctness: Any set of at least k shares can reconstruct the valid secret.

2. 2

   Secrecy: Any fewer than k shares have no information about the secret.

Shamir’s (k,n) SS scheme is shown in the following Scheme 1.

Scheme 1: Shamir’s (k,n) SS scheme

• Sharing phase:

  1. 1

     The dealer \(\mathcal {D}\) chooses a k−1 degree polynomial ψ(x)∈GF(q)[X] which satisfies s=ψ(0)∈GF(q).

  2. 2

     The dealer \(\mathcal {D}\) computes n shares v_i=ψ(i),i=1,2...,n, and sends each share v_i to a participant P_i.

• Reconstruction phase:

  1. 1

     m(≥k) participants (say P₁,P₂...,P_m) submit their shares v₁,v₂...,v_m together.

  2. 2

     Computing the interpolated polynomial ψ(x) on v₁,v₂...,v_m by the equation: \(\psi (x)={\sum \nolimits }^{m}_{i=1}\left (v_{i}\prod \nolimits _{u\neq i}\frac {x-u}{i-u}\right)\). Then the secret s=ψ(0).

2.2 Cheating identification in SS scheme

Tompa and Woll [10] first introduced the cheating problem in secret sharing schemes, for instance, some cheaters submit fake shares during the reconstruction phase, which makes the honest participants reconstruct a forged secret and the cheaters can get the real secret exclusively. Cheating identification is a strong strategy to resist such cheating. The model of cheating identifiable secret sharing scheme is shown as follows:

• Sharing phase: During this phase, the dealer \(\mathcal {D}\) divides the secret s into n shares v₁,v₂...,v_n and sends each share v_i to a user P_i.

• Reconstruction phase: During this phase, a group of m users (m≥k) submit their shares to reconstruct the secret.

  1. 1

     A public cheating identification algorithm is applied on these m shares to identify cheaters.

  2. 2

     Let L be the set of users who are identified to be cheaters using cheating identification algorithm.

     If (m−|L|)≥k, reconstruct the secret s from those shares of users who are not in L, and output (s,L);

     If (m−|L|)<k, output L.

2.3 Polynomial-based SIS

In [3], Thien and Lin proposed a remarkable (k,n) SIS which was based on Shamir’s SS scheme. An image O is made up of multiple pixels, and the gray value of each pixel is in GF(251). In fact, the range of gray scale is [0,255]; for each pixel larger than 250, they are replaced by the value 250. Therefore, the reconstructed image would be of a little quality distortion from the original image. However, in majority cases, this quality distortion can be omitted with large number of pixels in an image. If all the pixels in an image are treated as secrets, a polynomial-based SIS can be extended from Shamir’s SS. Thien-Lin’s SIS scheme consists of two phases: shadow generation phase and image reconstruction phase. In the shadow generation phase, a dealer regards a secret image O as input and outputs n shadows S₁,S₂...,S_n; during image recovery phase, any set of m shadows k≤m≤n reconstruct the secret image O.

Scheme 2: Thien-Lin’s (k,n) SIS

Shadow Generation phase:

Input secret image O, output n shadows S₁,S₂...,S_n

1. 1

   The dealer divides O into l-non-overlapping k-pixel blocks, B₁,B₂...,B_l.

2. 2

   For k pixels a_j,0,a_j,1...,a_j,k−1∈GF(251) in each block B_j,j∈[1,l], the dealer generates a k−1 degree polynomial ψ_j(x)∈GF(251)[X], namely, ψ_j(x)=a_j,0+a_j,1x+a_j,2x²+...,+a_j,k−1x^k−1, and computes n pixel-shares v_j,1=ψ_j(1),v_j,2=ψ_j(2)...,v_j,n=ψ_j(n),j∈[1,l] as Shamir’s secret sharing scheme.

3. 3

   Outputs n shadows S_i=v_1,i∥v_2,i∥,...,∥v_l,i,i=1,2...,n, the symbol ∥ is the combination of pixel-shares.

Image reconstruction phase:

On input m shadows S₁,S₂...,S_m.(m≥k).

1. 1

   Extract the pixel-shares v_1,j,v_2,j...,v_m,j,j∈[1,l] from S₁,S₂...,S_m.

2. 2

   Using the approach of Shamir’s scheme, and reconstructing the polynomial ψ_j(x)=a_j,0+a_j,1x+a_j,2x²+...,+a_j,k−1x^k−1 from v_1,j,v_2,j...,v_m,j,j∈[1,l]. The block B_j=a_j,0∥a_j,1∥...,∥a_j,k−1.

3. 3

   Outputs O=B₁∥B₂∥,...,∥B_l.

It is obvious that Scheme 2 satisfies the k-threshold property: k or more shadows can reconstruct entire image; less than k shadows get nothing about secret image. The size of each shadow in Scheme 2 is \(\frac {1}{k}\) times of the original image.

In this section, we consider the cheating problem in Scheme 2 and then proposed a cheating identifiable SIS that has the ability of identifying cheaters; then, the theoretical analysis is discussed to prove the correctness of the proposed work.

3.1 The proposed scheme

Suppose that during the image reconstruction phase, cheaters can submit forged shadows. It results that the honest participants can only get a fake secret image, while the cheaters can even reconstruct the secret image exclusively. In order to prevent this problem, we construct a (k,n) SIS with cheating identification under the model in Section 2.2. Our scheme is based on Thien-Lin’s fundamental scheme which can be also extended in other polynomial-based SIS schemes. Our scheme is shown in the following Scheme 3.

Scheme 3: (k,n) SIS scheme with cheating identification

Shadow Generation Phase: Input a secret image O, output n shadows S₁,S₂,...,S_n.

1. 1

   The dealer divides O into l-non-overlapping \(k+\left \lfloor \frac {k-2}{2}\right \rfloor \)-pixel blocks, B₁,B₂,...,B_l. (Let \(\omega =\left \lfloor \frac {k-2}{2}\right \rfloor \) in the rest of this paper)

2. 2

   For each block B_i,i∈[1,l], there are k+ω secret pixels a_i,0,a_i,1,...,a_i,k−1 and b_i,0,b_i,1,...,b_i,ω−1∈GF(251). The dealer generates a k−1 degree polynomial ψ_i(x)=a_i,0+a_i,1x+...,+a_i,k−1x^k−1∈GF(251)[X].

3. 3

   The dealer chooses a random integer γ_i, and computes k−ω pixels \(\phantom {\dot {i}\!}b_{i,\omega },b_{i,\omega +1,..,b_{i,k-1}}\) which satisfy that: a_i,ω+γ_ib_i,ω=0,a_i,ω+1+γ_ib_i,ω+1=0,...,a_i,k−1+γ_ib_i,k−1=0 over GF(251). Then the dealer generates another k−1 degree polynomial φ_i(x)=b_i,0+b_i,1x+...,+b_i,k−1x^k−1. It also implies that η_i(x)=ψ_i(x)+γ_iφ_i(x) is of degree ω−1.

4. 4

   For each block B_i,i∈[1,l], the dealer computes pixel-shares v_i,j={m_i,j,d_i,j},m_i,j=ψ_i(j),d_i,j=φ_i(j),j=1,2...,n for each participant P_j. The shadow S_j for P_j is S_j=v_1,j∥v_2,j∥,...,∥v_t,j.

Image Reconstruction Phase: Input k shadows, without loss of generality (S₁,S₂,...,S_k)

1. 1

   Extract the pixel-shares v_i,j=(m_i,j,d_i,j),i=1,2...,l,j=1,2...,k from S₁,S₂...,S_k.

2. 2

   For each group of v_i,1,v_i,2,...,v_i,k,i∈[1,l], using Lagrange interpolation to reconstruct ψ_i(x) and φ_i(x) from m_i,1,m_i,2,...,m_i,k and d_i,1,d_i,2,...,d_i,k respectively.

   1. (a)

      If there exists a ω−1 polynomial η_i(x) and an integer γ_i, namely η_i(x)=ψ_i(x)+γ_iφ_i(x),i∈[1,l], recover the block B_i=(a_i,0,a_i,1,...,a_i,k−1,b_i,0,b_i,1,...,b_i,ω−1),i=1,2,...,l. The image O is reconstructed as O=B₁∥B₂,...,∥B_l.

   2. (b)

      Otherwise, if there exists no integer γ_j,j∈[1,l] which satisfies that ψ_j(x)+γ_jφ_j(x) with degree ω−1, using the following Algorithm 1 to identify cheaters.

The cheating identification process is described in Algorithm 1. For simplicity, it takes k pixel-shares v_i=(m_i,d_i),i=1,2,...,k as input and outputs the set of cheaters.

Algorithm 1: Cheating identification: input v_i=(m_i,d_i),i=1,2,...,k; output the set \(\mathcal {X}\) of cheaters.

• Generating \(C^{\omega +1}_{k}\) subsets \(\varepsilon _{1},\varepsilon _{2},...,\varepsilon _{C^{\omega +1}_{k}}\) on the set of k pixel-shares {v₁,v₂,...,v_k}.

• For each subset \(\varepsilon _{i},i\in \left [1,C^{\omega +1}_{k}\right ]\), computing its corresponding checking polynomial \(\eta ^{\prime }_{i}(x)\). For example, ε₁={v₁,v₂,...,v_ω,v_ω+1}, compute two ω−th interpolated polynomials \(\psi ^{\prime }_{1}(x)\) and \(g^{\prime }_{1}(x)\) on m₁,m₂,...,m_ω+1 and d₁,d₂,...,d_ω,d_ω+1 respectively. Figure out an integer \(\gamma ^{\prime }_{1}\) such that \(\eta ^{\prime }_{1}(x)=\psi ^{\prime }_{1}(x)+\gamma ^{\prime }_{1}g^{\prime }_{1}(x)\) is of degree ω−1. Then \(\eta ^{\prime }_{1}(x)\) is the checking polynomial on the subset ε₁.

• Figure out the majority polynomial η^m(x) among all the \(C^{\omega +1}_{k}\) checking polynomials. Suppose ε₁,ε₂,...,ε_w are all the w subsets whose checking polynomial equals to the majority polynomial η^m(x), then the set of cheaters is presented by \(\mathcal {X}=\left \{P_{1},P_{2},...,P_{k}\right \}-\left (\varepsilon _{1}\bigcup \varepsilon _{2},...,\bigcup \varepsilon _{w}\right)\).

In Thien-Lin’s scheme, it can be noticed that the size of the shadow is \(\frac {1}{k}\) times of the secret image. In our scheme, the pixel-share v_i,j=(m_i,j,d_i,j) are generated from each k+ω-pixels block; therefore, the size of the shadow in our scheme is \(\frac {2}{k+\omega }\) times of the secret image O. The most complicated operation of cheating identification in our scheme is computing \(C^{\omega +1}_{k}\) polynomials with ω−1 degree; thus, the time complexity is \(O\left (C^{\omega +1}_{k}\ast \omega ^{2}\right)\).

Observing that in the proposed scheme, each block of the secret image is shared using Shamir’s (k,n) secret sharing scheme. Therefore, our proposed scheme is a perfect (k,n) threshold scheme, namely, k or more shadows can reconstruct the image, while k−1 or less shadows get no information about the image.

3.2 Theoretical analysis

The capability of cheating identification of the proposed scheme is summarized by the following lemma and theorem. Since in our scheme, the secret image is divided into multiple blocks and each block is encrypted into shares using the same approach, we use one block of k+u pixels instead of the entire image to analyze its cheating identification ability.

Lemma 1

Sharing a (k+ω)-pixel block B=(a₀,a₁,...,a_k−1,b₀,b₁,...,b_ω−1) as shown in Scheme 2, any ω+1 participants can get γ and ω−1 degree polynomial η(x). The dealer D decides the parameters of η(x). (η(x)=γφ(x)+ψ(x), any ω+1 participants can get η(x) and γ without acknowledgment on ψ(x) and φ(x)) but ω participants are unable to get any information about γ and η(x).

Proof

Supposing ω+1 participants are P₁,P₂,...,P_ω+1, respectively, and they possess ω+1 pixel-shares, v_i={m_i,d_i},i=1,2,...,ω+1. The ω+1 points (1,m₁),(2,m₂),...,(ω+1,m_ω+1) determine an interpolated polynomial ψ^′(x). And another interpolated polynomial φ^′(x) is determined by ω+1 points (1,d₁),(2,d₂),...,(ω+1,d_ω+1). A conclusion can be made easily, ω+1 points (1,m₁),(2,m₂),...,(ω+1,m_ω+1) are linear independent; otherwise, the interpolated polynomial on (1,m₁),(2,m₂),...,(k,m_k) would be less than k−1, since the n points (1,m₁),(2,m₂),...,(k,m_k) deduce a interpolated polynomial with k−1 degree ψ(x) and k>ω+1. So, ψ^′(x) and φ^′(x) are both ω-degree interpolated polynomials.

Now, we have η(x)=γφ(x)+ψ(x) and η^′(x)=ψ^′(x)+γ^′φ^′(x). Let R(x)=η(x)−η^′(x). Therefore, we get:

We get ψ(i)=ψ^′(i),i=1,2,...,ω+1, since ψ(x) and ψ^′(x) must pass through (i,m_i),i=1,2,...,ω+1. Similarly, we get φ(i)=φ^′(i),i=1,2,...,ω+1. Together with Eq. (1), we can get that R(i)=(γ−γ^′)φ^′(i),i=1,2,...,ω+1, which means that R(x) intersects (γ−γ^′)φ^′(x) at ω+1 points, since both R(x) and (γ−γ^′)φ^′(x) are of degree no more than ω.

Thus, we get a conclusion that:

Obviously, R(x)=η(x)−η^′(x), where R(x) is an interpolated polynomial, and the degree which is no more than ω−1. Similarly, the φ^′(x) is of degree ω exactly. Therefore, we get that γ=γ^′ and η^′(x)=η(x). Otherwise, it would contradict to Eq. (2).

Next, we prove that γ and η(x) cannot be gotten by ω shareholders. The φ(x) is dependent with ψ(x), such that there exists a ω−1 degree polynomial η(x) and a value γ, which satisfies η(x)=ψ(x)+γφ(x). If we consider the ω coefficients of η(x) and the value γ as ω+1 unknowns, then each participant P_i can build a linear equation η(i)=m_i+γ·d_i on these ω+1 unknowns using their share (m_i,d_i). As a result, ω participants can build ω linear equations on these ω+1 unknowns. These ω+1 unknowns cannot be figured out, according to the property of linear equations. Otherwise, by using their ω shares, ω participants can only get two ω−1-th degree interpolated polynomials ψ^′′(x) and φ^′′(x). η(x) and γ can be denoted as

However, η(x),ψ^′′(x) and φ^′′(x) are ω−1-degree interpolated polynomials. According to Eq. (3), with probabilities \(\frac {1}{p}\), each element e in GF(p) could be γ. Therefore, γ and η(x) cannot be gotten by ω shareholders. End proof. □

Theorem 1

If the number t of cheaters satisfies \(t\leq \omega =\left \lfloor \frac {k-2}{2}\right \rfloor \), these cheaters can be identified in the proposed scheme.

Proof

According to Lemma 1, γ and η(x) can be obtained by ω+1 cheaters using their valid pixel-shares. Among these cheaters, the P_j is a critical cheater, which can even forge his pixel-share \(v^{\prime }_{j}=\left (m^{\prime }_{j},d^{\prime }_{j}\right)\) where \(m^{\prime }_{j}\neq m_{j}\) to satisfy \(m^{\prime }_{j}+\gamma \cdotp d^{\prime }_{j}=\eta (j)\). Each combination of ω+1 submitted pixel-shares including \(v^{\prime }_{j}\) deduces an identical checking polynomial η(x), during secret reconstruction and cheater identification, the cheater P_j succeeds in cheating.

As illustrated in Lemma 1, when \(t\leq \omega =\left \lfloor \frac {k-2}{2}\right \rfloor, \omega \) cheaters can get no information about γ. Thus, forged shares cannot be made successfully by any ω or less cheaters, to avoid identification. A checking polynomial can be generated by any ω+1 participants, according to Lemma 1, and \(t\leq \omega =\left \lfloor \frac {k-2}{2}\right \rfloor \). There are ω+2 valid shares selected from k submitted shares at least. \(C^{\omega +1}_{\omega +2}=\omega +2\) valid checking polynomials can be generated in CI. Without loss of generality, supposing P₁ is a critical cheater who releases a forged pixel-share \(v^{\prime }_{1}\). If and only if there is a set of ω+2 submitted pixel-shares including \(v^{\prime }_{1}\), and this set of pixel-shares has the property, a same checking polynomial η₁(x) can be made by each ω+1 combined shares.

The ω+2 submitted pixel-shares are \(v^{\prime }_{1},v^{\prime }_{1},...,v^{\prime }_{t},v_{t+1},...,v_{i_{\omega +2}}\) where P₁,P₂,...,P_t are t cheaters and P₁ is a critical cheater who knows \(v^{\prime }_{2},v^{\prime }_{3},...,v^{\prime }_{t}\). η₁(x) and the value γ₁ are made by \(v^{\prime }_{1},v^{\prime }_{2},...,v^{\prime }_{t},v_{t+1},...,v_{\omega +1}\), then v_ω+2=(m_ω+2,d_ω+2) has to satisfy

It is noticed that the t cheaters can get no information about γ₁,η₁(x) and v_ω+2=(m_ω+2,d_ω+2), and the probability of (4) is \(\frac {1}{p}\). In other words, the successful cheating probability of P₁ is \(\frac {1}{p}\). End proof. □

In this part, we show the experimental results and give a comparison between our scheme and other cheating detectable SIS. In this example, let the threshold is (k,n)=(6,n), and the secret image O is divided into l blocks where each block includes \(k+\left \lfloor \frac {k-2}{2}\right \rfloor =8\) secret pixels. Assuming one block B consists of the following 8 pixels: (a₀,...,a₅,b₀,b₁)=(57,68,90,231,42,89,124,186), the dealer selects an integer γ=10, then generates two k−1=5 degree polynomials: ψ(x)=57+68x+90x²+231x³+42x⁴+89x⁵ and φ(x)=124+186x+242x²+2x³+46x⁴+217x⁵, where a_i+γ·b_i=0,i=2,3,4,5. Supposing P₁,P₂,...,P₆ participate in image reconstruction, the pixel-shares are v₁=(75,64),v₂=(148,124),v₃=(209,135),v₄=(220,151),v₅=(59,134),v₆=(160,141).

If all these 6 participants are honest, they submit real pixel-shares in image reconstruction, and two polynomials ψ(x)=57+68x+90x²+231x³+42x⁴+89x⁵ and φ(x)=124+186x+242x²+2x³+46x⁴+217x⁵ can be reconstructed, respectively. They can also find γ=10, such that η(x)=ψ(x)+γ·φ(x)=42+171x is of degree \(\left \lfloor \frac {k-2}{2}\right \rfloor -1\). It means that there is no cheating behavior, and the pixel-block B=(57,68,90,231,42,89,124,186) is reconstructed.

Now we assume P₁,P₂ are two cheaters \(\left (t=2\leq \left \lfloor \frac {k-2}{2}\right \rfloor \right)\) who submit fake pixel-shares \(v_{1}^{\prime }=(98,109),v_{2}^{\prime }=(215,81)\) in image reconstruction. The cheating behavior can be easily detected using our scheme. During cheating identification algorithm, all the 4 subsets which contain 3 honest participants can compute the same checking polynomial η(x)=42+171x. For example, (P₃,P₄,P₅) can get two interpolated polynomials ψ^∗(x)=148+111x+165x²,φ^∗(x)=140+6x+109x². Then, they can figure out a unique integer γ=10 such that η(x)=ψ^∗(x)+γ·φ^∗(x)=42+171x. For another subset of 3 honest participants (P₃,P₄,P₆), they can reconstruct two interpolated polynomials ψ^∗(x)=12+23x+70x²,φ^∗(x)=3+65x+244x² from their pixel-shares. Then, they can also figure out the integer r=10 such that η(x)=ψ^∗(x)+γ·φ^∗(x)=42+171x. On the other side, each subset of three participants which contain P₁ or P₂ deduces different checking polynomials. Therefore, η(x)=ψ^∗(x)+γ·φ^∗(x)=42+171x is regarded as the majority polynomial, and the cheaters can be identified successfully accordingly.

In [21], Yang et al. proposed an authentication approach in secret image sharing which is also capable of identifying cheaters during secret reconstruction phase. The scheme in [21] is also based on Thien-Lin’s scheme [3], but uses symmetric bivariate polynomial to generate shadows. It encrypts each \(\frac {k(k+1)}{2}\) secret pixels into k pixel-shares, and the size of the shadow is \(\frac {2}{k+1}\) times of the secret image. The shadow size in our scheme is \(\frac {2}{k+\omega }\), which is smaller than the size in Yang et al.’s scheme when \(\omega =\left \lfloor \frac {k-2}{2}\right \rfloor \geq 1\). In cheating identification, not only the k participants, but also the other n−k participants work together to vote for the k participants using the property of symmetry bivariate polynomial. The participants who get less than \(\left \lfloor \frac {n-1}{2}\right \rfloor \) votes are identified as cheaters. However, in most cheating identifiable secret sharing schemes, the cheating identification is carried out only by the participants in secret reconstruction, and it is not practical to involve other n−k participants in cheating identification. In fact, if k participants work together to identify cheaters in Yang et al.’s scheme, the cheaters cannot be identified since the cheater can always get more votes than honest participants. The comparison between Yang et al.’s scheme and the proposed scheme is shown in the following Table 1. The symbol CI in Table 1 means the capability of cheating identification.

We can also use 512×512 Lena (Fig. 1) as the secret image O to generate shadows using our (4,7) SIS scheme with cheating identification. The n=7 shadows are shown in Fig. 2 where each shadow has \(\frac {2}{k+\left \lfloor \frac {k-2}{2}\right \rfloor }=\frac {2}{5}\) times of the secret image. Each 4 participants can reconstruct the image that can identify \(\left \lfloor \frac {k-2}{2}\right \rfloor =1\) cheaters.

512×512 secret image

Full size image

Seven shadows on the secret image

Full size image

In this paper, we consider the well-known cheating problem in polynomial-based (k,n) SIS, such that a group of malicious participants submit fake shadows during image reconstruction. In order to prevent such cheating behavior, we construct a (k,n) SIS scheme with cheating identification under the model of cheating identifiable SS scheme. Our scheme is capable of identifying \(\left \lfloor \frac {k-2}{2}\right \rfloor \) cheaters when k participants involve in image reconstruction. In addition, the proposed scheme is based on the landmark Thien-Lin’s polynomial-based SIS scheme, which can be easily extended into other polynomial-based SIS schemes. Both the size of shadow and the capability of cheating identification are enhanced from previous SIS schemes with cheating identification.

Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.

SS:

Secret sharing

SIS:

Secret image sharing

VC:

Visual cryptography

We want to thank Professor Lein Harn from the University of Missouri-Kansas city for his help in English improvement.

The research presented in this paper is supported by the National Key R&D Program of China under No. 2018YFB1800100.

Authors and Affiliations

1. Beijing University of Posts and Telecommunications, Beijing, China

   Ma Zheng, Ma Yan & Huang Xiaohong

2. China Unicom Network Technology Research Institute, Beijing, China

   Ma Zheng & Zhang Manjun

3. Xi’an University of Technology, 710048, Xi’an, China

   Liu Yanxiao

Contributions

Zheng Ma provides the main concept, Yan Ma and Xiaohong Huang design the algorithms, Manjun Zhang gives the experiments, and Yanxiao Liu makes the comparisons. The authors read and approved the final manuscript.

Corresponding author

Correspondence to Liu Yanxiao.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions