Visual Cryptography Hossein Hajiabolhassan Department of Mathematical Sciences Shahid Beheshti University Tehran, Iran

Secret Sharing Scheme  A secret sharing scheme is a method of dividing a secret S among a finite set of participants.  only certain pre-specified subsets of participants can recover the secret (Qualified subsets). secret

K out of n  Consider a finite field GF(q) where q ≥n+1 and Choose a secret key s from GF(q).  Randomly choose s=a 0, a 1,…, a k-1 from GF(q),  Freely choose distinct x i (1 ≤i≤n).  Give to person i Secret share (x i, f(x i )) for all (1 ≤i≤n).

Perfect Secret Sharing  A secret sharing scheme is perfect if all authorized subsets can reconstruct the secret but no other subset can determine any information about the secret. This scheme is not perfect!

Visual Cryptography Anyone knows what is the secret?

Basic Definitions  Let P={1,...,n } be a set of elements called participants.  2^P denote the set of all subsets of P.  Q  2^P : members of qualified sets.  F  2^P: members of forbidden sets, Q  F= .   =(Q,F) is called the access structure of the scheme.   _0 : Call all the minimal qualified sets of  basis for the access structure  :  _0={A  Q : B  Q for all B  A, B ≠ A}.

Basic Definitions  Secret Image: The Secret consists of a collection of black and white pixels.  Share: Secret image encode into n shadow images in the form of the transparencies, called shares, where each participant receives one share.  Subpixel: Each pixel is divided into a certain number of subpixels.

Superimposing: 1 2 q ++++

Generation of Shares

share1 share2 stack pixel random 1212 Generation of Shares

Mathematical Model (0,1,0,1,0) (1,1,0,0,1) Sticking (1,1,0,1,1) Representation with Matrix [ ]

1 2 n Mathematical Model

2 out of 2 ` PixelProbability Shares #1 #2 Superposition of the two shares 1 0 [] [0 1 ] [] [] C_0 C_1 Same Matrices with Same Frequency

Expansion & Contrast  The number of subpixels that each pixel of the original image is encoded into on each transparency is termed pixel expansion.  The difference measure between a black and a white pixel in the reconstructed image is called contrast. [0 1 ][ [[]]] Expansion = 2 Contrast=( 2-1)/2=0.5 [

Visual Cryptography Scheme Naor and Shamir, 1994  Let  =(Q, F) be an access structure on a set of n participants. A  - VCS_1 with expansion m and contrast  (m) consists of two collections of n×m matrices C_0 and C_1 such that: I. For any qualified subset X={i_1,…,i_k} and A ε C_0, the or V of rows i_1,…,i_k of A satisfies w(V)  t_X-  (m).m ; whereas, for any B ε C_1 it results that w(V)  t_X. II. For any non-qualified subset X={i_1,…,i_t}. The two collections of t×m matrices D_j, with j ε {0,1}, obtained by restricting each n×m matrix in C_j to rows i_1,…,i_t are indistinguishable in the sense that they contain the same matrices with the same frequencies.

2 out of 21 0 [][0 1 ] [] [] C_0 C_1 X={ 1,2}, W(V)=2 X={ 1,2}, W(V)=1 D_0 D_1 X={ 1 }

VCS with Basis Matrices  Let  =(Q, F) be an access structure on a set of n participants. A basis for  - VCS_2 with expansion m and contrast  (m) consists of two matrices S^0 and S^1 such that: I. For any qualified subset X={i_1,…,i_k}, the or V of rows i_1,…,i_k of S^0 satisfies w(V)  t_X-  (m).m ; whereas, for S^1 it results that w(V)  t_X. II. For any non-qualified subset X={i_1,…,i_t}. The two t×m matrices D^j, with j ε {0,1}, obtained by restricting rows i_1,…,i_t to S^j are equal up to a permutation of columns.

K out of K {1} {2} {3} {1,2,3} [ { } {1,2} {1,3} {2,3} ][] S^1=.S^0=. C_1={A: A is a permutation column of S^1} C_0={B: B is a permutation column of S^0}

K out of n scheme  There is a k out of k scheme with expansion 2 k-1 and contrast α=2 -k+1.  In any k out of k scheme m≥2 k-1 and α≤2 1-k.  For any n and k, there is a k out of n VCS with m=log n 2 O(klog k), α=2 Ώ(k).

General Access Structure Question: Let  be a access structure. Is there an  -VC S ? Note that if there exists an  -VCS then Q should be monotone. Theorem: Let  =(Q,F) be a monotone access structure where F∩Q = , and let Z_M be the family of maximal forbidden sets in F. Then there exists a  -VCS with expansion less than or equal to 2^(|Z_M|-1).

Cumulative Array Method  Let  =(Q,F) be a monotone access structure where Q U F= 2^P.  Also, let F_1,…, F_t be maximal forbidden sets in F.  Let S^0 and S^1 be basis of white matrix and black matrix of t out of t VCS, respectively.  Construct n×2^(t-1) white basis matrix C^0 and black basis matrix C^1 of  as follows: I. For any participant i, set the i-th row of C^0 be the or of rows i_1,…,i_s of S^0 that i_1,…,i_s are rows of S^0 where for any 1 ≤j≤s, “ i’’ is not member of F_(i_j). II. Similarly, construct C^1.

Cumulative Array Method Example: Let P={1, 2, 3, 4},  _0={{1, 2}, {2, 3}, {3, 4}}, and Z_M={F_1,F_2, F_3}; F_1={1, 4},F_2={1, 3}, F_3={2, 4}. Hence, Theoretically, realizable.

New VCS, Color of Secret Tzeng and Hu, 2002  Let  =(Q, F) be an access structure on a set of n participants. A  - VCS_3 with expansion m and contrast  (m) consists of two collections of n×m matrices C_0 and C_1 such that: I. For any qualified subset X={i_1,…,i_k} and A ε C_0, the or V of rows i_1,…,i_k of A satisfies w(V) = t_X; whereas, II. For any non-qualified subset X={i_1,…,i_t}. The two collections of t×m matrices D_j, with j ε {0,1}, obtained by restricting each n×m matrix in C_j to rows i_1,…,i_t are indistinguishable in the sense that they contain the same matrices with the same frequencies. for any B ε C_1 it results that w(V)  t_X-  (m).m or for any B ε C_1 w(V) ≤ t_X-  (m).m.

New VCS, Color of Secret Tzeng and Hu, 2002

Extended VCS  In 1998, S. Droste introduced an extension of the visual cryptography. In fact, he has presented an extended VCS in which every combination of the transparencies can contain independent information.  In 2001, G. Ateniese, C. Blundo, A. Santis and D.R. Stinson has introduced another version of extended visual cryptography in which every share have to be an image.

Extended VCS Droste 1998  Consider multi-sets C^T (T is a subset of 2^P\{ф}) of n×m Boolean matrices which satisfy the following conditions. 1.For all X={i_1,…,i_k} and A ε C^T, where X is a member of T, the or V of rows i_1,…,i_t of A satisfies w(V)  t_X. 2.For all X={i_1,…,i_k} and A ε C^T, where X is not a member of T, the or V of rows i_1,…,i_k of A satisfies w(V)  t_X-  (m).m. 3.The condition of Security!

Extended VCS Droste 1998 C^{}= C^{{1,2}}= C^{{1},{1,2}}= C^{{2},{1,2}}= C^{{1},{2},{1,2}}= C^{{1}}= C^{{2}}= C^{{1},{2}}=

Extended VCS G. Ateniese, C. Blundo, A. Santis and D.R. Stinson, 2001

Extended VCS Droste 1998 C^{}= C^{{1,2}}= C^{{1},{1,2}}= C^{{2},{1,2}}= C^{{1},{2},{1,2}}= C^{{1}}= C^{{2}}= C^{{1},{2}}=

Extended VCS Droste 1998 C^{}= C^{{1,2}}= C^{{1},{1,2}}= C^{{2},{1,2}}= C^{{1},{2},{1,2}}= C^{{1}}= C^{{2}}= C^{{1},{2}}=

Colored Visual Cryptography The generalized “or” of elements (colors) in {a_0, a_1,..., a_{c−1}} equals a_i if all colors are equal to a_i, otherwise it equals BLACK Color.

Colored Visual Cryptography VERHEUL and VAN TILBORG, 1997  Let  =(Q, F) be an access structure on a set of n participants. The c collections of n×m matrices C_0, C_1,..., C_{c−1} constitute a c-colour  - VCS_1 with pixel expansion m, if there exist two integers h and l such that h > l satisfying: I.For any qualified subset X={i_1,…,i_k} and A ε C_i, the generalized or V of rows i_1,…,i_k of A satisfies Z_i(V)  h while for any j≠ i, Z_j(V) ≤ l. II.For any non-qualified subset X={i_1,…,i_t}. The collections of t×m matrices D_j, obtained by restricting each n×m matrix in C_j to rows i_1,…,i_t, are indistinguishable in the sense that they contain the same matrices with the same frequencies.

Colored Visual Cryptography 2 out of 5

Colored Visual Cryptography Yang and Laih, 2000

Probabilistic Visual Cryptography K out of n, Yang 2004  A k out of n ProbVSS_1 scheme can be shown as two multi-sets, C_0 and C_1; consisting of n×1 matrices which satisfies the following conditions:  For these matrices in the multi-set C_0 (resp. C1), the ‘‘OR’’-ed value of any k-tuple column vector V is L(V). These values of all matrices form a multi-set E_0 (resp. E_1), respectively.  The two multi-sets E_0 and E_1 satisfy that p_1≥p_t and P_0≤p_t- α, where p_0 and p_1 are the appearance probabilities of the ‘‘1’’ (black color) in the multi-sets E_0 and E_1, respectively.  For any subset {i_1,…,i_t} of participants with t<k the p_0 and p_1 are the same.

Probabilistic Visual Cryptography K out of n, Yang out of 2

Probabilistic Visual Cryptography K out of n, Yang out of 3

Share 1 Share 2 Secret 1 “VISUAL” Secret 2 “SECRET” Staking Rotating 72 o

 W.G. Tzeng and C.M. Hu, 2002, introduced another model for visual cryptography in which just minimal qualified subsets can recover the shared image by stacking their transparencies.  (C. Blundo, S. Cimato, and A. De Santis, 2006) Let  =(Q, F) be an access structure. The best pixel expansion of  -VCS_3 (basis matrices) satisfies

 (H. Hajiabolhassan and A. Cheraghi) Let  =(Q, F) be an access structure. Also, assume that there exist disjoint qualified sets A_1,...,A_t such that for any qualified set B ⊆ A_1 ∪ ··· ∪ A_t, one should have A_i ⊆ B for some 1 ≤ i ≤ t, i.e., A_i’s constitute an induced matching in Q. Then  One can consider another model for visual cryptography (VCS_4) in which minimal qualified subsets can recover the secret. In fact, we don’t mind whether non-minimal qualified subsets can obtain the secret.

 A graph access structure is an access structure for which the set of participants is the vertex set V (G) of a graph G = (V (G),E(G)), and the sets of participants qualified to reconstruct the secret image are precisely those containing an edge of G.  A strong edge coloring of a graph G is an edge coloring in which every color class is an induced matching. The strong chromatic index s′(G) is the minimum number of colors in a strong edge coloring of G.  (H. Hajiabolhassan and A. Cheraghi) Let G be a non- empty graph. Then m_4(G) ≤ min{2bc(G), 2s′(G)}.

Thanks for your attention!