Applying cheating identifiable secret sharing scheme in multimedia security

In (k,n) secret sharing scheme, one secret is encrypted into n shares in such a way that only k or more shares can decrypt the secret. Secret sharing scheme can be extended into the field of multimedia that provides an efficient way to protect confidential information on multimedia. Secret image sharing is just the most important extension of secret sharing that can safely guard the secrecy of images among multiple participants. On the other hand, cheating detection is an important issue in traditional secret sharing schemes that have been discussed for many years. However, the issue of cheating detection in secret image sharing has not been discussed sufficiently. In this paper, we consider the cheating problem in the application of secret image sharing schemes and construct a (k,n) secret image sharing scheme with the ability of cheating detection and identification. Our scheme is capable of identifying cheaters when k participants involve in reconstruction. The cheating identification ability and size of shadow in the proposed scheme are improved from the previous cheating identifiable secret image sharing scheme.

(2020) 2020:42 Page 2 of 10 simply accomplished by human visual system without any computation. However, the reconstructed image is lossy and the size of shadow is expanded from the original image. The cheating problem in SS schemes was first introduced by Tompa and Woll [10] in 1989. They considered the scenario that some dishonest participants (cheaters) pool fake shares when reconstructing the secret. Through this method, the cheaters can get the valid secret exclusively; the other honest participants can only decode a forged secret. Many works have focused on solving cheating problem in SS schemes. Some of them [11][12][13] were interested in detecting the cheating behavior, and others [14][15][16] focused on not only detecting the cheating, but also identifying the cheaters. The cheating identifiable schemes have stronger capability to resist cheating, and it results that the shares are larger and the schemes are more complicated than those cheating detectable schemes.
As a result, the cheating problem is also an important issue in the field of SIS schemes. However, this issue has not been discussed sufficiently in SIS so far. In the works [17][18][19], some SIS schemes with steganography and authentication were capable of detecting or identifying the cheating behavior. However, those SIS schemes were not based on Shamir's scheme and the capabilities of cheating detection or identification were not strong enough to prevent the cheating. In [20], Liu et al. proposed a SIS with the capability of cheating detection, but the identification of cheaters is still unknown. In [21], Yang et al. proposed a SIS scheme that can identify cheaters during reconstruction. In their scheme, shadows are generated from bivariate polynomial and each shadow has extra bits which is used for authentication. The cheating identification is based on the property of symmetry in bivariate polynomial; however, the power on identifying cheaters in [21] is limited.
In this paper, we focus on the cheating problem in the fundamental polynomial-based SIS [3]. Since cheating identifiable scheme has much stronger power to prevent cheating behavior, we construct a (k, n) SIS scheme capable of identifying up to k−2 2 cheaters. The rest of this paper is organized as follows. In Section 2, we introduce some related works, which includes Shamir's (k, n) SS scheme, polynomial-based SIS scheme, and the model of cheating identification in SS scheme. In Section 3, we construct a (k, n) SIS scheme capable of cheating identification, and the theoretical analysis is also provided in this section. In Section 4, we use an example to illustrate the cheating identification in the proposed scheme and give a comparison between the scheme in [21] and the proposed scheme. Section 5 gives the conclusion of this paper.

Shamir's (k, n) SS scheme
A (k, n) SS scheme is an approach where a secret is decrypted into n shares, in such way that any k or more shares can reconstruct the secret and fewer than k shares get nothing about the secret. More formally, in secret sharing scheme, there exist n participants P = {P 1 , P 2 , ..., P n } and a dealer D. A (k, n) secret sharing scheme consists of two phases: 1 Sharing phase: During this phase, the dealer D divides the secret s into n shares v 1 , v 2 , ..., v n and sends each share v i to a participant P i . 2 Reconstruction phase: During this phase, a group of at least k participants submit their shares to reconstruct the secret.
In the sharing phase, the dealer D computes n shares in such a way that satisfies the following conditions:  Shamir's (k, n) SS scheme is shown in the following Scheme 1.

Scheme 1: Shamir's (k, n) SS scheme
Sharing phase: The dealer D computes n shares v i = ψ(i), i = 1, 2..., n, and sends each share v i to a participant P i .

Cheating identification in SS scheme
Tompa and Woll [10] first introduced the cheating problem in secret sharing schemes, for instance, some cheaters submit fake shares during the reconstruction phase, which makes the honest participants reconstruct a forged secret and the cheaters can get the real secret exclusively. Cheating identification is a strong strategy to resist such cheating. The model of cheating identifiable secret sharing scheme is shown as follows: Sharing phase: During this phase, the dealer D divides the secret s into n shares v 1 , v 2 ..., v n and sends each share v i to a user P i . Reconstruction phase: During this phase, a group of m users (m ≥ k) submit their shares to reconstruct the secret.
1 A public cheating identification algorithm is applied on these m shares to identify cheaters. 2 LetL be the set of users who are identified to be cheaters using cheating identification algorithm. If (m − |L|) ≥ k, reconstruct the secret s from those shares of users who are not in L, and output (s, L);

Polynomial-based SIS
In [3], Thien and Lin proposed a remarkable (k, n) SIS which was based on Shamir's SS scheme. An image O is made up of multiple pixels, and the gray value of each pixel is in GF(251). In fact, the range of gray scale is [ 0, 255]; for each pixel larger than 250, they are replaced by the value 250. Therefore, the reconstructed image would be of a little quality distortion from the original image. However, in majority cases, this quality distortion can be omitted with large number of pixels in an image. If all the pixels in an image are treated as secrets, a polynomial-based SIS can be extended from Shamir's SS. Thien-Lin's SIS scheme consists of two phases: shadow generation phase and image reconstruction phase.
In the shadow generation phase, a dealer regards a secret image O as input and outputs n shadows S 1 , S 2 ..., S n ; during image recovery phase, any set of m shadows k ≤ m ≤ n reconstruct the secret image O.
.., n, the symbol is the combination of pixel-shares.
1 Extract the pixel-shares v 1,j , v 2,j ..., v m,j , j ∈[ 1, l] from S 1 , S 2 ..., S m . 2 Using the approach of Shamir's scheme, and reconstructing the polynomial It is obvious that Scheme 2 satisfies the k-threshold property: k or more shadows can reconstruct entire image; less than k shadows get nothing about secret image. The size of each shadow in Scheme 2 is 1 k times of the original image.

Methods
In this section, we consider the cheating problem in Scheme 2 and then proposed a cheating identifiable SIS that has the ability of identifying cheaters; then, the theoretical analysis is discussed to prove the correctness of the proposed work.

The proposed scheme
Suppose that during the image reconstruction phase, cheaters can submit forged shadows. It results that the honest participants can only get a fake secret image, while the cheaters can even reconstruct the secret image exclusively. In order to prevent this problem, we construct a (k, n) SIS with cheating identification under the model in Section 2.2. Our scheme is based on Thien-Lin's fundamental scheme which can be also extended in other polynomial-based SIS schemes. Our scheme is shown in the following Scheme 3. 3 The dealer chooses a random integer γ i , and computes k −ω pixels b i,ω , b i,ω+1,..,b i,k−1 which satisfy that: Then the dealer generates another k − 1 degree polynomial .., n for each participant P j . The shadow S j for P j is S j = v 1,j v 2,j , ..., v t,j .  (1) Generating C ω+1 k subsets ε 1 , ε 2 , ..., ε C ω+1 k on the set of k pixel-shares {v 1 , v 2 , ..., v k }.
In Thien-Lin's scheme, it can be noticed that the size of the shadow is 1 k times of the secret image. In our scheme, the pixel-share v i,j = m i,j , d i,j are generated from each k + ω-pixels block; therefore, the size of the shadow in our scheme is 2 k+ω times of the secret image O. The most complicated operation of cheating identification in our scheme is computing C ω+1 k polynomials with ω − 1 degree; thus, the time complexity is Observing that in the proposed scheme, each block of the secret image is shared using Shamir's (k, n) secret sharing scheme. Therefore, our proposed scheme is a perfect (k, n) threshold scheme, namely, k or more shadows can reconstruct the image, while k − 1 or less shadows get no information about the image.

Theoretical analysis
The capability of cheating identification of the proposed scheme is summarized by the following lemma and theorem. Since in our scheme, the secret image is divided into multiple blocks and each block is encrypted into shares using the same approach, we use one block of k+u pixels instead of the entire image to analyze its cheating identification ability. a (k + ω)-pixel block B = (a 0 , a 1 , ..., a k−1 , b 0 , b 1 , ..., b ω−1 ) as shown in Scheme 2, any ω + 1 participants can get γ and ω − 1 degree polynomial η(x). The dealer D decides the parameters of η(x). (η(x) = γ ϕ(x) + ψ(x), any ω + 1 participants can get η(x) and γ without acknowledgment on ψ(x) and ϕ(x)) but ω participants are unable to get any information about γ and η(x).
Thus, we get a conclusion that: Obviously, is an interpolated polynomial, and the degree which is no more than ω − 1. Similarly, the ϕ (x) is of degree ω exactly. Therefore, we get that γ = γ and η (x) = η(x). Otherwise, it would contradict to Eq. (2).
Next, we prove that γ and η(x) cannot be gotten by ω shareholders. The ϕ(x) is dependent with ψ(x), such that there exists a ω − 1 degree polynomial η(x) and a value γ , which satisfies η(x) = ψ(x) + γ ϕ(x). If we consider the ω coefficients of η(x) and the value γ as ω + 1 unknowns, then each participant P i can build a linear equation η(i) = m i + γ · d i on these ω + 1 unknowns using their share (m i , d i ). As a result, ω participants can build We can also use 512 × 512 Lena (Fig. 1) as the secret image O to generate shadows using our (4, 7) SIS scheme with cheating identification. The n = 7 shadows are shown in Fig.  2 where each shadow has

Conclusion
In this paper, we consider the well-known cheating problem in polynomial-based (k, n) SIS, such that a group of malicious participants submit fake shadows during image reconstruction. In order to prevent such cheating behavior, we construct a (k, n) SIS scheme with cheating identification under the model of cheating identifiable SS scheme. Our scheme is capable of identifying k−2 2 cheaters when k participants involve in image reconstruction. In addition, the proposed scheme is based on the landmark Thien-Lin's polynomial-based SIS scheme, which can be easily extended into other polynomial-based SIS schemes. Both the size of shadow and the capability of cheating identification are enhanced from previous SIS schemes with cheating identification.