 Research
 Open access
 Published:
Applying cheating identifiable secret sharing scheme in multimedia security
EURASIP Journal on Image and Video Processing volume 2020, Article number: 42 (2020)
Abstract
In (k,n) secret sharing scheme, one secret is encrypted into n shares in such a way that only k or more shares can decrypt the secret. Secret sharing scheme can be extended into the field of multimedia that provides an efficient way to protect confidential information on multimedia. Secret image sharing is just the most important extension of secret sharing that can safely guard the secrecy of images among multiple participants. On the other hand, cheating detection is an important issue in traditional secret sharing schemes that have been discussed for many years. However, the issue of cheating detection in secret image sharing has not been discussed sufficiently. In this paper, we consider the cheating problem in the application of secret image sharing schemes and construct a (k,n) secret image sharing scheme with the ability of cheating detection and identification. Our scheme is capable of identifying cheaters when k participants involve in reconstruction. The cheating identification ability and size of shadow in the proposed scheme are improved from the previous cheating identifiable secret image sharing scheme.
1 Introduction
(k,n) secret sharing (SS) scheme was first proposed by Shamir [1] in 1979 to safeguard secret information among a group of participants. In Shamir’s scheme, a secret s is divided into n shares v_{1},v_{2},...,v_{n} using a k−1 degree polynomial in such a way that any k−1 or less shares get no information about the secret s and any k or more shares can reconstruct the secret s efficiently. In [2], the researchers designed reliable and secure devices that can realize Shamir’s SS [1]. In 2002, Thien and Lin combined Shamir’s SS scheme with image and proposed a secret image sharing (SIS) scheme [3] that can protect information on secret image among multiple users. After years of research, many SIS schemes were constructed, and all existing SIS schemes can be mainly divided into two categories: one is polynomialbased SIS schemes [4–6], and the other is visual cryptography (VC)based schemes [7–9]. Polynomialbased SIS schemes can reconstruct lossless image with reduced shadow size; the image reconstruction in VCbased SIS schemes can be simply accomplished by human visual system without any computation. However, the reconstructed image is lossy and the size of shadow is expanded from the original image.
The cheating problem in SS schemes was first introduced by Tompa and Woll [10] in 1989. They considered the scenario that some dishonest participants (cheaters) pool fake shares when reconstructing the secret. Through this method, the cheaters can get the valid secret exclusively; the other honest participants can only decode a forged secret. Many works have focused on solving cheating problem in SS schemes. Some of them [11–13] were interested in detecting the cheating behavior, and others [14–16] focused on not only detecting the cheating, but also identifying the cheaters. The cheating identifiable schemes have stronger capability to resist cheating, and it results that the shares are larger and the schemes are more complicated than those cheating detectable schemes.
As a result, the cheating problem is also an important issue in the field of SIS schemes. However, this issue has not been discussed sufficiently in SIS so far. In the works [17–19], some SIS schemes with steganography and authentication were capable of detecting or identifying the cheating behavior. However, those SIS schemes were not based on Shamir’s scheme and the capabilities of cheating detection or identification were not strong enough to prevent the cheating. In [20], Liu et al. proposed a SIS with the capability of cheating detection, but the identification of cheaters is still unknown. In [21], Yang et al. proposed a SIS scheme that can identify cheaters during reconstruction. In their scheme, shadows are generated from bivariate polynomial and each shadow has extra bits which is used for authentication. The cheating identification is based on the property of symmetry in bivariate polynomial; however, the power on identifying cheaters in [21] is limited.
In this paper, we focus on the cheating problem in the fundamental polynomialbased SIS [3]. Since cheating identifiable scheme has much stronger power to prevent cheating behavior, we construct a (k,n) SIS scheme capable of identifying up to \(\left \lfloor \frac {k2}{2}\right \rfloor \) cheaters. The rest of this paper is organized as follows. In Section 2, we introduce some related works, which includes Shamir’s (k,n) SS scheme, polynomialbased SIS scheme, and the model of cheating identification in SS scheme. In Section 3, we construct a (k,n) SIS scheme capable of cheating identification, and the theoretical analysis is also provided in this section. In Section 4, we use an example to illustrate the cheating identification in the proposed scheme and give a comparison between the scheme in [21] and the proposed scheme. Section 5 gives the conclusion of this paper.
2 Related works
2.1 Shamir’s (k,n) SS scheme
A (k,n) SS scheme is an approach where a secret is decrypted into n shares, in such way that any k or more shares can reconstruct the secret and fewer than k shares get nothing about the secret. More formally, in secret sharing scheme, there exist n participants \(\mathcal {P}=\{P_{1},P_{2},...,P_{n}\}\) and a dealer \(\mathcal {D}\). A (k,n) secret sharing scheme consists of two phases:

1
Sharing phase: During this phase, the dealer \(\mathcal {D}\) divides the secret s into n shares v_{1},v_{2},...,v_{n} and sends each share v_{i} to a participant P_{i}.

2
Reconstruction phase: During this phase, a group of at least k participants submit their shares to reconstruct the secret.
In the sharing phase, the dealer \(\mathcal {D}\) computes n shares in such a way that satisfies the following conditions:

1
Correctness: Any set of at least k shares can reconstruct the valid secret.

2
Secrecy: Any fewer than k shares have no information about the secret.
Shamir’s (k,n) SS scheme is shown in the following Scheme 1.
Scheme 1: Shamir’s (k,n) SS scheme

Sharing phase:

1
The dealer \(\mathcal {D}\) chooses a k−1 degree polynomial ψ(x)∈GF(q)[X] which satisfies s=ψ(0)∈GF(q).

2
The dealer \(\mathcal {D}\) computes n shares v_{i}=ψ(i),i=1,2...,n, and sends each share v_{i} to a participant P_{i}.

1

Reconstruction phase:

1
m(≥k) participants (say P_{1},P_{2}...,P_{m}) submit their shares v_{1},v_{2}...,v_{m} together.

2
Computing the interpolated polynomial ψ(x) on v_{1},v_{2}...,v_{m} by the equation: \(\psi (x)={\sum \nolimits }^{m}_{i=1}\left (v_{i}\prod \nolimits _{u\neq i}\frac {xu}{iu}\right)\). Then the secret s=ψ(0).

1
2.2 Cheating identification in SS scheme
Tompa and Woll [10] first introduced the cheating problem in secret sharing schemes, for instance, some cheaters submit fake shares during the reconstruction phase, which makes the honest participants reconstruct a forged secret and the cheaters can get the real secret exclusively. Cheating identification is a strong strategy to resist such cheating. The model of cheating identifiable secret sharing scheme is shown as follows:

Sharing phase: During this phase, the dealer \(\mathcal {D}\) divides the secret s into n shares v_{1},v_{2}...,v_{n} and sends each share v_{i} to a user P_{i}.

Reconstruction phase: During this phase, a group of m users (m≥k) submit their shares to reconstruct the secret.

1
A public cheating identification algorithm is applied on these m shares to identify cheaters.

2
Let L be the set of users who are identified to be cheaters using cheating identification algorithm.
If (m−L)≥k, reconstruct the secret s from those shares of users who are not in L, and output (s,L);
If (m−L)<k, output L.

1
2.3 Polynomialbased SIS
In [3], Thien and Lin proposed a remarkable (k,n) SIS which was based on Shamir’s SS scheme. An image O is made up of multiple pixels, and the gray value of each pixel is in GF(251). In fact, the range of gray scale is [0,255]; for each pixel larger than 250, they are replaced by the value 250. Therefore, the reconstructed image would be of a little quality distortion from the original image. However, in majority cases, this quality distortion can be omitted with large number of pixels in an image. If all the pixels in an image are treated as secrets, a polynomialbased SIS can be extended from Shamir’s SS. ThienLin’s SIS scheme consists of two phases: shadow generation phase and image reconstruction phase. In the shadow generation phase, a dealer regards a secret image O as input and outputs n shadows S_{1},S_{2}...,S_{n}; during image recovery phase, any set of m shadows k≤m≤n reconstruct the secret image O.
Scheme 2: ThienLin’s (k,n) SIS
Shadow Generation phase:
Input secret image O, output n shadows S_{1},S_{2}...,S_{n}

1
The dealer divides O into lnonoverlapping kpixel blocks, B_{1},B_{2}...,B_{l}.

2
For k pixels a_{j,0},a_{j,1}...,a_{j,k−1}∈GF(251) in each block B_{j},j∈[1,l], the dealer generates a k−1 degree polynomial ψ_{j}(x)∈GF(251)[X], namely, ψ_{j}(x)=a_{j,0}+a_{j,1}x+a_{j,2}x^{2}+...,+a_{j,k−1}x^{k−1}, and computes n pixelshares v_{j,1}=ψ_{j}(1),v_{j,2}=ψ_{j}(2)...,v_{j,n}=ψ_{j}(n),j∈[1,l] as Shamir’s secret sharing scheme.

3
Outputs n shadows S_{i}=v_{1,i}∥v_{2,i}∥,...,∥v_{l,i},i=1,2...,n, the symbol ∥ is the combination of pixelshares.
Image reconstruction phase:
On input m shadows S_{1},S_{2}...,S_{m}.(m≥k).

1
Extract the pixelshares v_{1,j},v_{2,j}...,v_{m,j},j∈[1,l] from S_{1},S_{2}...,S_{m}.

2
Using the approach of Shamir’s scheme, and reconstructing the polynomial ψ_{j}(x)=a_{j,0}+a_{j,1}x+a_{j,2}x^{2}+...,+a_{j,k−1}x^{k−1} from v_{1,j},v_{2,j}...,v_{m,j},j∈[1,l]. The block B_{j}=a_{j,0}∥a_{j,1}∥...,∥a_{j,k−1}.

3
Outputs O=B_{1}∥B_{2}∥,...,∥B_{l}.
It is obvious that Scheme 2 satisfies the kthreshold property: k or more shadows can reconstruct entire image; less than k shadows get nothing about secret image. The size of each shadow in Scheme 2 is \(\frac {1}{k}\) times of the original image.
3 Methods
In this section, we consider the cheating problem in Scheme 2 and then proposed a cheating identifiable SIS that has the ability of identifying cheaters; then, the theoretical analysis is discussed to prove the correctness of the proposed work.
3.1 The proposed scheme
Suppose that during the image reconstruction phase, cheaters can submit forged shadows. It results that the honest participants can only get a fake secret image, while the cheaters can even reconstruct the secret image exclusively. In order to prevent this problem, we construct a (k,n) SIS with cheating identification under the model in Section 2.2. Our scheme is based on ThienLin’s fundamental scheme which can be also extended in other polynomialbased SIS schemes. Our scheme is shown in the following Scheme 3.
Scheme 3: (k,n) SIS scheme with cheating identification
Shadow Generation Phase: Input a secret image O, output n shadows S_{1},S_{2},...,S_{n}.

1
The dealer divides O into lnonoverlapping \(k+\left \lfloor \frac {k2}{2}\right \rfloor \)pixel blocks, B_{1},B_{2},...,B_{l}. (Let \(\omega =\left \lfloor \frac {k2}{2}\right \rfloor \) in the rest of this paper)

2
For each block B_{i},i∈[1,l], there are k+ω secret pixels a_{i,0},a_{i,1},...,a_{i,k−1} and b_{i,0},b_{i,1},...,b_{i,ω−1}∈GF(251). The dealer generates a k−1 degree polynomial ψ_{i}(x)=a_{i,0}+a_{i,1}x+...,+a_{i,k−1}x^{k−1}∈GF(251)[X].

3
The dealer chooses a random integer γ_{i}, and computes k−ω pixels \(\phantom {\dot {i}\!}b_{i,\omega },b_{i,\omega +1,..,b_{i,k1}}\) which satisfy that: a_{i,ω}+γ_{i}b_{i,ω}=0,a_{i,ω+1}+γ_{i}b_{i,ω+1}=0,...,a_{i,k−1}+γ_{i}b_{i,k−1}=0 over GF(251). Then the dealer generates another k−1 degree polynomial φ_{i}(x)=b_{i,0}+b_{i,1}x+...,+b_{i,k−1}x^{k−1}. It also implies that η_{i}(x)=ψ_{i}(x)+γ_{i}φ_{i}(x) is of degree ω−1.

4
For each block B_{i},i∈[1,l], the dealer computes pixelshares v_{i,j}={m_{i,j},d_{i,j}},m_{i,j}=ψ_{i}(j),d_{i,j}=φ_{i}(j),j=1,2...,n for each participant P_{j}. The shadow S_{j} for P_{j} is S_{j}=v_{1,j}∥v_{2,j}∥,...,∥v_{t,j}.
Image Reconstruction Phase: Input k shadows, without loss of generality (S_{1},S_{2},...,S_{k})

1
Extract the pixelshares v_{i,j}=(m_{i,j},d_{i,j}),i=1,2...,l,j=1,2...,k from S_{1},S_{2}...,S_{k}.

2
For each group of v_{i,1},v_{i,2},...,v_{i,k},i∈[1,l], using Lagrange interpolation to reconstruct ψ_{i}(x) and φ_{i}(x) from m_{i,1},m_{i,2},...,m_{i,k} and d_{i,1},d_{i,2},...,d_{i,k} respectively.

(a)
If there exists a ω−1 polynomial η_{i}(x) and an integer γ_{i}, namely η_{i}(x)=ψ_{i}(x)+γ_{i}φ_{i}(x),i∈[1,l], recover the block B_{i}=(a_{i,0},a_{i,1},...,a_{i,k−1},b_{i,0},b_{i,1},...,b_{i,ω−1}),i=1,2,...,l. The image O is reconstructed as O=B_{1}∥B_{2},...,∥B_{l}.

(b)
Otherwise, if there exists no integer γ_{j},j∈[1,l] which satisfies that ψ_{j}(x)+γ_{j}φ_{j}(x) with degree ω−1, using the following Algorithm 1 to identify cheaters.

(a)
The cheating identification process is described in Algorithm 1. For simplicity, it takes k pixelshares v_{i}=(m_{i},d_{i}),i=1,2,...,k as input and outputs the set of cheaters.
Algorithm 1: Cheating identification: input v_{i}=(m_{i},d_{i}),i=1,2,...,k; output the set \(\mathcal {X}\) of cheaters.

Generating \(C^{\omega +1}_{k}\) subsets \(\varepsilon _{1},\varepsilon _{2},...,\varepsilon _{C^{\omega +1}_{k}}\) on the set of k pixelshares {v_{1},v_{2},...,v_{k}}.

For each subset \(\varepsilon _{i},i\in \left [1,C^{\omega +1}_{k}\right ]\), computing its corresponding checking polynomial \(\eta ^{\prime }_{i}(x)\). For example, ε_{1}={v_{1},v_{2},...,v_{ω},v_{ω+1}}, compute two ω−th interpolated polynomials \(\psi ^{\prime }_{1}(x)\) and \(g^{\prime }_{1}(x)\) on m_{1},m_{2},...,m_{ω+1} and d_{1},d_{2},...,d_{ω},d_{ω+1} respectively. Figure out an integer \(\gamma ^{\prime }_{1}\) such that \(\eta ^{\prime }_{1}(x)=\psi ^{\prime }_{1}(x)+\gamma ^{\prime }_{1}g^{\prime }_{1}(x)\) is of degree ω−1. Then \(\eta ^{\prime }_{1}(x)\) is the checking polynomial on the subset ε_{1}.

Figure out the majority polynomial η^{m}(x) among all the \(C^{\omega +1}_{k}\) checking polynomials. Suppose ε_{1},ε_{2},...,ε_{w} are all the w subsets whose checking polynomial equals to the majority polynomial η^{m}(x), then the set of cheaters is presented by \(\mathcal {X}=\left \{P_{1},P_{2},...,P_{k}\right \}\left (\varepsilon _{1}\bigcup \varepsilon _{2},...,\bigcup \varepsilon _{w}\right)\).
In ThienLin’s scheme, it can be noticed that the size of the shadow is \(\frac {1}{k}\) times of the secret image. In our scheme, the pixelshare v_{i,j}=(m_{i,j},d_{i,j}) are generated from each k+ωpixels block; therefore, the size of the shadow in our scheme is \(\frac {2}{k+\omega }\) times of the secret image O. The most complicated operation of cheating identification in our scheme is computing \(C^{\omega +1}_{k}\) polynomials with ω−1 degree; thus, the time complexity is \(O\left (C^{\omega +1}_{k}\ast \omega ^{2}\right)\).
Observing that in the proposed scheme, each block of the secret image is shared using Shamir’s (k,n) secret sharing scheme. Therefore, our proposed scheme is a perfect (k,n) threshold scheme, namely, k or more shadows can reconstruct the image, while k−1 or less shadows get no information about the image.
3.2 Theoretical analysis
The capability of cheating identification of the proposed scheme is summarized by the following lemma and theorem. Since in our scheme, the secret image is divided into multiple blocks and each block is encrypted into shares using the same approach, we use one block of k+u pixels instead of the entire image to analyze its cheating identification ability.
Lemma 1
Sharing a (k+ω)pixel block B=(a_{0},a_{1},...,a_{k−1},b_{0},b_{1},...,b_{ω−1}) as shown in Scheme 2, any ω+1 participants can get γ and ω−1 degree polynomial η(x). The dealer D decides the parameters of η(x). (η(x)=γφ(x)+ψ(x), any ω+1 participants can get η(x) and γ without acknowledgment on ψ(x) and φ(x)) but ω participants are unable to get any information about γ and η(x).
Proof
Supposing ω+1 participants are P_{1},P_{2},...,P_{ω+1}, respectively, and they possess ω+1 pixelshares, v_{i}={m_{i},d_{i}},i=1,2,...,ω+1. The ω+1 points (1,m_{1}),(2,m_{2}),...,(ω+1,m_{ω+1}) determine an interpolated polynomial ψ^{′}(x). And another interpolated polynomial φ^{′}(x) is determined by ω+1 points (1,d_{1}),(2,d_{2}),...,(ω+1,d_{ω+1}). A conclusion can be made easily, ω+1 points (1,m_{1}),(2,m_{2}),...,(ω+1,m_{ω+1}) are linear independent; otherwise, the interpolated polynomial on (1,m_{1}),(2,m_{2}),...,(k,m_{k}) would be less than k−1, since the n points (1,m_{1}),(2,m_{2}),...,(k,m_{k}) deduce a interpolated polynomial with k−1 degree ψ(x) and k>ω+1. So, ψ^{′}(x) and φ^{′}(x) are both ωdegree interpolated polynomials.
Now, we have η(x)=γφ(x)+ψ(x) and η^{′}(x)=ψ^{′}(x)+γ^{′}φ^{′}(x). Let R(x)=η(x)−η^{′}(x). Therefore, we get:
We get ψ(i)=ψ^{′}(i),i=1,2,...,ω+1, since ψ(x) and ψ^{′}(x) must pass through (i,m_{i}),i=1,2,...,ω+1. Similarly, we get φ(i)=φ^{′}(i),i=1,2,...,ω+1. Together with Eq. (1), we can get that R(i)=(γ−γ^{′})φ^{′}(i),i=1,2,...,ω+1, which means that R(x) intersects (γ−γ^{′})φ^{′}(x) at ω+1 points, since both R(x) and (γ−γ^{′})φ^{′}(x) are of degree no more than ω.
Thus, we get a conclusion that:
Obviously, R(x)=η(x)−η^{′}(x), where R(x) is an interpolated polynomial, and the degree which is no more than ω−1. Similarly, the φ^{′}(x) is of degree ω exactly. Therefore, we get that γ=γ^{′} and η^{′}(x)=η(x). Otherwise, it would contradict to Eq. (2).
Next, we prove that γ and η(x) cannot be gotten by ω shareholders. The φ(x) is dependent with ψ(x), such that there exists a ω−1 degree polynomial η(x) and a value γ, which satisfies η(x)=ψ(x)+γφ(x). If we consider the ω coefficients of η(x) and the value γ as ω+1 unknowns, then each participant P_{i} can build a linear equation η(i)=m_{i}+γ·d_{i} on these ω+1 unknowns using their share (m_{i},d_{i}). As a result, ω participants can build ω linear equations on these ω+1 unknowns. These ω+1 unknowns cannot be figured out, according to the property of linear equations. Otherwise, by using their ω shares, ω participants can only get two ω−1th degree interpolated polynomials ψ^{′′}(x) and φ^{′′}(x). η(x) and γ can be denoted as
However, η(x),ψ^{′′}(x) and φ^{′′}(x) are ω−1degree interpolated polynomials. According to Eq. (3), with probabilities \(\frac {1}{p}\), each element e in GF(p) could be γ. Therefore, γ and η(x) cannot be gotten by ω shareholders. End proof. □
Theorem 1
If the number t of cheaters satisfies \(t\leq \omega =\left \lfloor \frac {k2}{2}\right \rfloor \), these cheaters can be identified in the proposed scheme.
Proof
According to Lemma 1, γ and η(x) can be obtained by ω+1 cheaters using their valid pixelshares. Among these cheaters, the P_{j} is a critical cheater, which can even forge his pixelshare \(v^{\prime }_{j}=\left (m^{\prime }_{j},d^{\prime }_{j}\right)\) where \(m^{\prime }_{j}\neq m_{j}\) to satisfy \(m^{\prime }_{j}+\gamma \cdotp d^{\prime }_{j}=\eta (j)\). Each combination of ω+1 submitted pixelshares including \(v^{\prime }_{j}\) deduces an identical checking polynomial η(x), during secret reconstruction and cheater identification, the cheater P_{j} succeeds in cheating.
As illustrated in Lemma 1, when \(t\leq \omega =\left \lfloor \frac {k2}{2}\right \rfloor, \omega \) cheaters can get no information about γ. Thus, forged shares cannot be made successfully by any ω or less cheaters, to avoid identification. A checking polynomial can be generated by any ω+1 participants, according to Lemma 1, and \(t\leq \omega =\left \lfloor \frac {k2}{2}\right \rfloor \). There are ω+2 valid shares selected from k submitted shares at least. \(C^{\omega +1}_{\omega +2}=\omega +2\) valid checking polynomials can be generated in CI. Without loss of generality, supposing P_{1} is a critical cheater who releases a forged pixelshare \(v^{\prime }_{1}\). If and only if there is a set of ω+2 submitted pixelshares including \(v^{\prime }_{1}\), and this set of pixelshares has the property, a same checking polynomial η_{1}(x) can be made by each ω+1 combined shares.
The ω+2 submitted pixelshares are \(v^{\prime }_{1},v^{\prime }_{1},...,v^{\prime }_{t},v_{t+1},...,v_{i_{\omega +2}}\) where P_{1},P_{2},...,P_{t} are t cheaters and P_{1} is a critical cheater who knows \(v^{\prime }_{2},v^{\prime }_{3},...,v^{\prime }_{t}\). η_{1}(x) and the value γ_{1} are made by \(v^{\prime }_{1},v^{\prime }_{2},...,v^{\prime }_{t},v_{t+1},...,v_{\omega +1}\), then v_{ω+2}=(m_{ω+2},d_{ω+2}) has to satisfy
It is noticed that the t cheaters can get no information about γ_{1},η_{1}(x) and v_{ω+2}=(m_{ω+2},d_{ω+2}), and the probability of (4) is \(\frac {1}{p}\). In other words, the successful cheating probability of P_{1} is \(\frac {1}{p}\). End proof. □
4 Results and discussion
In this part, we show the experimental results and give a comparison between our scheme and other cheating detectable SIS. In this example, let the threshold is (k,n)=(6,n), and the secret image O is divided into l blocks where each block includes \(k+\left \lfloor \frac {k2}{2}\right \rfloor =8\) secret pixels. Assuming one block B consists of the following 8 pixels: (a_{0},...,a_{5},b_{0},b_{1})=(57,68,90,231,42,89,124,186), the dealer selects an integer γ=10, then generates two k−1=5 degree polynomials: ψ(x)=57+68x+90x^{2}+231x^{3}+42x^{4}+89x^{5} and φ(x)=124+186x+242x^{2}+2x^{3}+46x^{4}+217x^{5}, where a_{i}+γ·b_{i}=0,i=2,3,4,5. Supposing P_{1},P_{2},...,P_{6} participate in image reconstruction, the pixelshares are v_{1}=(75,64),v_{2}=(148,124),v_{3}=(209,135),v_{4}=(220,151),v_{5}=(59,134),v_{6}=(160,141).
If all these 6 participants are honest, they submit real pixelshares in image reconstruction, and two polynomials ψ(x)=57+68x+90x^{2}+231x^{3}+42x^{4}+89x^{5} and φ(x)=124+186x+242x^{2}+2x^{3}+46x^{4}+217x^{5} can be reconstructed, respectively. They can also find γ=10, such that η(x)=ψ(x)+γ·φ(x)=42+171x is of degree \(\left \lfloor \frac {k2}{2}\right \rfloor 1\). It means that there is no cheating behavior, and the pixelblock B=(57,68,90,231,42,89,124,186) is reconstructed.
Now we assume P_{1},P_{2} are two cheaters \(\left (t=2\leq \left \lfloor \frac {k2}{2}\right \rfloor \right)\) who submit fake pixelshares \(v_{1}^{\prime }=(98,109),v_{2}^{\prime }=(215,81)\) in image reconstruction. The cheating behavior can be easily detected using our scheme. During cheating identification algorithm, all the 4 subsets which contain 3 honest participants can compute the same checking polynomial η(x)=42+171x. For example, (P_{3},P_{4},P_{5}) can get two interpolated polynomials ψ^{∗}(x)=148+111x+165x^{2},φ^{∗}(x)=140+6x+109x^{2}. Then, they can figure out a unique integer γ=10 such that η(x)=ψ^{∗}(x)+γ·φ^{∗}(x)=42+171x. For another subset of 3 honest participants (P_{3},P_{4},P_{6}), they can reconstruct two interpolated polynomials ψ^{∗}(x)=12+23x+70x^{2},φ^{∗}(x)=3+65x+244x^{2} from their pixelshares. Then, they can also figure out the integer r=10 such that η(x)=ψ^{∗}(x)+γ·φ^{∗}(x)=42+171x. On the other side, each subset of three participants which contain P_{1} or P_{2} deduces different checking polynomials. Therefore, η(x)=ψ^{∗}(x)+γ·φ^{∗}(x)=42+171x is regarded as the majority polynomial, and the cheaters can be identified successfully accordingly.
In [21], Yang et al. proposed an authentication approach in secret image sharing which is also capable of identifying cheaters during secret reconstruction phase. The scheme in [21] is also based on ThienLin’s scheme [3], but uses symmetric bivariate polynomial to generate shadows. It encrypts each \(\frac {k(k+1)}{2}\) secret pixels into k pixelshares, and the size of the shadow is \(\frac {2}{k+1}\) times of the secret image. The shadow size in our scheme is \(\frac {2}{k+\omega }\), which is smaller than the size in Yang et al.’s scheme when \(\omega =\left \lfloor \frac {k2}{2}\right \rfloor \geq 1\). In cheating identification, not only the k participants, but also the other n−k participants work together to vote for the k participants using the property of symmetry bivariate polynomial. The participants who get less than \(\left \lfloor \frac {n1}{2}\right \rfloor \) votes are identified as cheaters. However, in most cheating identifiable secret sharing schemes, the cheating identification is carried out only by the participants in secret reconstruction, and it is not practical to involve other n−k participants in cheating identification. In fact, if k participants work together to identify cheaters in Yang et al.’s scheme, the cheaters cannot be identified since the cheater can always get more votes than honest participants. The comparison between Yang et al.’s scheme and the proposed scheme is shown in the following Table 1. The symbol CI in Table 1 means the capability of cheating identification.
We can also use 512×512 Lena (Fig. 1) as the secret image O to generate shadows using our (4,7) SIS scheme with cheating identification. The n=7 shadows are shown in Fig. 2 where each shadow has \(\frac {2}{k+\left \lfloor \frac {k2}{2}\right \rfloor }=\frac {2}{5}\) times of the secret image. Each 4 participants can reconstruct the image that can identify \(\left \lfloor \frac {k2}{2}\right \rfloor =1\) cheaters.
5 Conclusion
In this paper, we consider the wellknown cheating problem in polynomialbased (k,n) SIS, such that a group of malicious participants submit fake shadows during image reconstruction. In order to prevent such cheating behavior, we construct a (k,n) SIS scheme with cheating identification under the model of cheating identifiable SS scheme. Our scheme is capable of identifying \(\left \lfloor \frac {k2}{2}\right \rfloor \) cheaters when k participants involve in image reconstruction. In addition, the proposed scheme is based on the landmark ThienLin’s polynomialbased SIS scheme, which can be easily extended into other polynomialbased SIS schemes. Both the size of shadow and the capability of cheating identification are enhanced from previous SIS schemes with cheating identification.
Availability of data and materials
Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.
Abbreviations
 SS:

Secret sharing
 SIS:

Secret image sharing
 VC:

Visual cryptography
References
A. Shamir, How to share a secret. Commun. ACM. 22(11), 612–613 (1979).
Z. Wang, M. Karpovsky, L. Bu, Design of reliable and secure devices realizing Shamir’s secret sharing. IEEE Trans. Comput.65(8), 2443–2455 (2016).
C. C. Thien, J. C. Lin, Secret image sharing. Comput. Graph.26(5), 765–770 (2002).
Y. X. Liu, C. N. Yang, Q. D. Sun, Y. C. Chen, (k,n) scalable secret image sharing with multiple decoding options. J. Intell. Fuzzy Syst.38(1), 219–228 (2020).
Y. X. Liu, C. N. Yang, Q. D. Sun, Thresholds based image extraction schemes in big data environment in intelligent traffic management. IEEE Trans. Intell. Transp. Syst. (2020). https://doi.org/10.1109/TITS.2020.2994386.
Y. X. Liu, C. N. Yang, C. M. Wu, Q. D. Sun, W. Bi, Threshold changeable secret image sharing scheme based on interpolation polynomial. Multimed. Tools Appl.78(13), 18653–18667 (2019).
R. Z Wang, Region incrementing visual cryptography. IEEE Sig. Process. Lett.16(8), 659–662 (2009).
C. N. Yang, H. W. Shih, C. C. Wu, L. Harn, k out of n region incrementing scheme in visual cryptography. IEEE Trans. Circ. Syst. Video Technol.22(5), 799–809 (2012).
C. N Yang, Y. C Lin, C. C Wu, Region in region incrementing visual cryptography scheme. Proc. IWDW2012, LNCS. 7809:, 449–463 (2013).
M. Tompa, H. Woll, How to share a secret with cheaters. J. Cryptol.1(3), 133–138 (1989).
P. Y. Lin, Chang C.C., Cheating resistance and reversibilityoriented secret sharing mechanism. IET Inf. Secur.5(2), 81–92 (2011).
S. Obana, T. Araki, in Proceedings of ASIACRYPT, LNCS 4284. Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution (SpringerHeidelberg, 2006), pp. 364–379.
W. Ogata, Kurosawa K., Stinson D.R., Optimum secret sharing scheme secure against cheating. SIAM J. Discret. Math.20(1), 79–95 (2006).
K. Kurosawa, S. Obana, W. Ogata, in Proceedings of CRYPTO, LNCS 563. tcheater identifiable (k,n) secret sharing schemes (SpringerHeidelberg, 1995), pp. 410–423.
S. Obana, in Proceedings of EUROCRYPT, LNCS 6632. Almost optimum tcheater identifiable secret sharing schemes (SpringerHeidelberg, 2011), pp. 284–302.
L. Harn, C. L. Lin, Detection and identification in (t,n) secret sharing scheme. Des. Code Crypt.52(1), 15–24 (2009).
C. C. Lin, W. H. Tsai, Secret image sharing with steganography and authentication. J. Syst. Softw.73:, 405–414 (2004).
C. N. Yang, T. S. Chen, K. H. Yu, C. C. Wang, Improvements of image sharing with steganography and authentication. J. Syst. Softw.80:, 1070–1076 (2007).
C. C. Chang, Y. P. Hsieh, C. H. Lin, Sharing secrets in stego images with authentication. Pattern Recog.41:, 3130–3137 (2008).
Y. X. Liu, Q. D. Sun, C. N. Yang, (k,n) secret image sharing scheme capable of cheating detection. EURASIP J. Wirel. Commun. Netw.2018:, 72 (2018).
C. N. Yang, J. F. Quyang, L. Harn, Steganography and authentication in image sharing without party bits. Opt. Commun.285:, 1725–1735 (2012).
Acknowledgements
We want to thank Professor Lein Harn from the University of MissouriKansas city for his help in English improvement.
Funding
The research presented in this paper is supported by the National Key R&D Program of China under No. 2018YFB1800100.
Author information
Authors and Affiliations
Contributions
Zheng Ma provides the main concept, Yan Ma and Xiaohong Huang design the algorithms, Manjun Zhang gives the experiments, and Yanxiao Liu makes the comparisons. The authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Ma, Z., Ma, Y., Huang, X. et al. Applying cheating identifiable secret sharing scheme in multimedia security. J Image Video Proc. 2020, 42 (2020). https://doi.org/10.1186/s1364002000529z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s1364002000529z