colour visual cryptography schemes liu wu lin

8/2/2019 Colour Visual Cryptography Schemes Liu Wu Lin

1/15

Published in IET Information Security

Received on 27th March 2008

Revised on 4th July 2008

doi: 10.1049/iet-ifs:20080066

ISSN 1751-8709

Colour visual cryptography schemesF. Liu

1,* C.K. Wu1

X.J. Lin2

1The State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190,

Peoples Republic of China2

Computer Science and Technology, Ocean University of China, Qingdao 266100, Peoples Republic of China*Graduate University of Chinese Academy of Sciences, Beijing 100190, Peoples Republic of China

E-mail: [email protected]

Abstract: Visual cryptography scheme (VCS) is a kind of secret-sharing scheme which allows the encryption of a

secret image into n shares that are distributed to n participants. The beauty of such a scheme is that, the

decryption of the secret image requires neither the knowledge of cryptography nor complex computation.

Colour visual cryptography becomes an interesting research topic after the formal introduction of visual

cryptography by Naor and Shamir in 1995. The authors propose a colour (k, n)-VCS under the visual cryptography

model of Naor and Shamir with no pixel expansion, and a colour ( k, n)-extended visual cryptography scheme

((k, n)-EVCS) under the visual cryptography model of Naor and Shamir with pixel expansion the same as that of

its corresponding black and white (k, n)-EVCS. Furthermore, the authors propose a black and white (k, n)-VCS

and a black and white (k, n)-EVCS under the visual cryptography model of Tuyls. Based on the black and white

schemes, the authors propose a colour (k, n)-VCS and a colour (k, n)-EVCS under the same visual cryptography

model, of which the pixel expansions are the same as that of their corresponding black and white (k, n)-VCS and

(k, n)-EVCS, respectively. The authors also give the experimental results of the proposed schemes, and compare

the proposed scheme with known schemes in the literature.

1 Introduction

The formal definition of visual cryptography was firstintroduced by Naor and Shamir. The idea of the visualcryptography model proposed in [1] is to split an imageinto two random shares (printed on transparencies) which

separately reveal no information about the original secretimage other than the size of the secret image. The imageis composed of black and white pixels. The originalimage can be recovered by superimposing the two shares.

The underlying operation of this visual cryptography modelis OR.

A similar model of visual cryptography has been proposed,such as the visual cryptography model studied in [2, 3]. Thisnew visual cryptography model utilised the polarisation of thelight, which could realise the XOR operation, and had goodcolour, resolution and contrast properties.

The colour visual cryptography scheme (VCS) under thevisual cryptography model of Naor and Shamir has been

studied by many researchers [418]. The first approach torealise colour VCS is to print the colours in the secretimage on the transparencies directly. The expected colourappears through hiding the colours by using a special blackcolour, or through showing the mixed colour according tothe subtractive and additive colour models, see examples in

[4, 5, 8, 10, 1418]. Unfortunately, this approach has thefollowing disadvantages. First, this approach oftengenerates colour VCS with large pixel expansion. Forexample, the pixel expansion of the (k, n)-VCS in [16] isqk1, where q! c, and that in [18] is cm, and that in [15]is dlogcem, and that in [5] is c nk

2k2, where c is the

number of colours and m is the pixel expansion of thecorresponding black and white (k, n)-VCS that applied asthe building blocks. Secondly, this approach can onlyrepresent a small number of colours, the reason being thatthe pixel expansion of the colour VCS generated by thisapproach is related to the number of colours in the

recovered secret image, and the pixel expansion growsrapidly when the number of colours in the recovered secretimage increases. Hence, given a reasonable pixel expansion

IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151 165 151

doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008

www.ietdl.org

AlultKCLDoN32a1fIX Ra


2/15

in the practical sense (which cannot be too large), therecovered secret image can only represent a small numberof colours. Thirdly, the colour model of this approachassumes that the stacking of pixels with the same colour

will result in a pixel that has the same colour (such anassumption is used to simplify the constructions). However,

it is not true. The stacking of some lighter pixels will resultin a darker pixel. For example, the stacking of two redpixels will result in a wine pixel different from the originalred pixel. This is the colour darkening phenomenonbecause of stacking the pixels with the same colour.

The second approach to realise colour visual cryptographyis to convert a colour image into black and white images onthe three colour channels (red, green, blue or equivalentlycyan, magenta, yellow), respectively, and then apply theblack and white VCS to each of the colour channels. Thismethod can obtain smaller pixel expansion, but requires the

halftone process, which decreases the quality of the secretimage and which often results in the expansion of the inputimages. Examples can be found in [6, 7, 9, 13].

The third approach to realise colour visual cryptography isproposed by Lukac and Plataniotis [12]. Their method canrecover the secret image perfectly and requires only littlecomputation. Their method utilises the binaryrepresentation of the colour of a pixel and encrypts thesecret image at the bit-level. However, the method haspixel expansion m and needs the assistance of computingdevices for decrypting, and can only be applied under the

visual cryptography model of Naor and Shamir; the colourextended visual cryptography scheme (EVCS) was notconsidered, and the definition of EVCS can be found inSection 2.3.

The colour VCS under the visual cryptography model ofTuyls is attractive since it has good colour, resolution andcontrast properties. For example, the (n, n)-VCS under the

visual cryptography model can recover the secret imageperfectly. However, the colour VCS for general (k, n)access structure has not been studied, not to mention thecolour EVCS. This paper tries to construct a general colour(k, n)-VCS and a colour (k, n)-EVCS under the visual

cryptography model of Tuyls.

The main idea of our construction in this paper for colour(k, n)-VCS and colour(k, n)-EVCS is that, for each pixel inthe secret image, we first represent its colour by binary bits

with several bit-levels. Then, we encrypt the bits at eachbit-level by applying the corresponding black and whiteVCS and EVCS, where a corresponding VCS (resp.EVCS) is the VCS (resp. EVCS) that has the same accessstructure and under the same visual cryptography model.

Briefly, the contributions of this paper are as follows.

In Section 3, we propose a colour (k, n)-VCS and a colour(k, n)-EVCS under the visual cryptography model of Naorand Shamir. Both the schemes do not require the halftone

process. The colour (k, n)-VCS does not have pixelexpansion. The pixel expansion of the colour (k, n)-EVCSis the same as that of the corresponding black and white(k, n)-EVCS. In Section 4, we first propose a black and

white (k, n)-VCS and a black and white (k, n)-EVCSunder the XOR operation, that is, under the visual

cryptography model of Tuyls, and then based on the blackand white schemes we propose a colour (k, n)-VCS and acolour (k, n)-EVCS under the visual cryptography modelof Tuyls, where both of the colour schemes do not requirethe halftone process and have the same pixel expansion oftheir corresponding black and white (k, n)-VCS and (k, n)-EVCS, respectively.

Compared with the known results in the literature, theadvantages of our constructions are as follows. First,compared with the first approach of realising colour VCS[5, 6, 8, 10, 11, 1518], the pixel expansion of our

constructions is small, and our constructions have theability to represent all colours. Our colour model alsoconsiders the colour darkening phenomenon when stackingthe pixels with the same colour, which makes ourconstructions more practical. Second, compared with thesecond approach of realising colour VCS [6, 7, 9, 13], ourconstructions do not need the halftone process whilemaintaining small pixel expansion. Third, compared withthe third approach of realising colour VCS [12], ourconstructions do not need the assistances of computingdevices. Furthermore, compared with the constructions in[6, 9, 13], our constructions can generate VCS and EVCSfor general (k, n) threshold access structure, and theconstruction in [6, 9, 13] only generated VCS or EVCSfor specific access structures, for example the (2, 2) and(2, n) access structure. Explicit comparisons about ourconstruction and the known results in the literature can befound in Section 5.

The rest of this paper is organised as follows. In Section 2,we give some preliminary results about VCS including thedescription of the visual cryptography model of Tuyls, thedefinition of VCS and EVCS, the basis principles of colourmodels and the multi-pixel encryption method. In Section3, we propose some constructions of colour (k, n)-VCS and

colour (k, n)-EVCS under the visual cryptography modelof Naor and Shamir. In Section 4, we propose theconstructions of colour (k, n)-VCS and colour (k, n)-EVCS under the visual cryptography model of Tuyls. InSection 5, we give the comparisons of the proposedconstructions and the constructions in the literature.Section 6 concludes the paper.

2 Preliminaries

2.1 Visual cryptography model of Tuyls

Tuyls et al. [2, 3] proposed a new physical system for VCS,which can realise the XOR operation. Their main idea is toinsert a new liquid crystal (LC) layer into a liquid crystal

152 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165

& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066

www.ietdl.org



3/15

display (LCD) that already has an LC layer. Thus, such asystem contains five layers which are the back-light, thefirst polariser, the first LC layer, the second LC layer andthe second polariser. Depending on the voltage that isapplied to an LC cell, this LC cell will rotate thepolarisation of the light that enters it to a certain angle.

The angle rotated by the cell of the first LC layer isdenoted as a1 [ [0, p] and that by the cell of the secondLC layer as a2 [ [0, p]. Then, the total angle rotated bythe two LC layers is denoted as a a1 a2. The secondpolariser emits the same light of the first polariser. Let Irdenote the normalised intensity of the recovered pixel[2, 3], then we have

Ir(a) cos2a cos2(a1 a2)

When a1, a2 [ f0, p/2g, since cos(p) cos(0) 1, the

system forms a black and white visual cryptography modelwith an underlying operation of XOR.

As LC layers can be driven electronically (as in LCDs), thekey can be easily updated (using pseudo random numbergenerators), which leads to a practical updating mechanism.Finally, the decryption display will be rather simple, it isonly equipped with simple dedicated hardware such as apseudo random number generator and a storage device, andhaving interaction with the untrusted communicationdevice, which is purely optical. These traits make thissystem practical [2, 3].

2.2 Definition of VCS

In general, a (k, n)-VCS divides a secret image into n shares,which are distributed to n participants. Anyk out ofn sharescan recover the secret image, but any less than k shares do nothave any information about the secret image other than thesize of the secret image. Besides, a colour (k, n)-VCSshould assume that the secret image, the shares and therecovered secret image are all colourful.

Because all the constructions of colour VCS of this study

take their corresponding black and white VCS as buildingblocks, in this section, we will give some definitions aboutthe black and white VCS, where we denote a black pixel by1 and a white pixel by 0.

For a vectorv [ GFm(2), we denote the Hamming weightof the vector v by w(v). A black and white (k, n)-VCS,denoted by (C0, C1), consists of two collections of n mbinary matrices, C0 and C1. To share a white (resp. black)pixel, a dealer (the one who sets up the system) randomlychooses one of the matrices in C0(resp. C1) and distributesits rows (shares) to the n participants of the scheme. More

precisely, we give a formal definition of the black and white(k, n)-VCS as follows, where we use a dot () operation todenote an OR or XOR operation in a VCS.

Definition 1: Let k, n, m and h be non-negative integerssatisfying 2 k n and 0 , h m. The two collections ofn m binary matrices (C0, C1) constitute a black and

white (k, n)-VCS if there exists a value a (. 0) satisfying:

1. (contrast) for anys [ C0, the operation of anyk out of

the n rows of s is a vectorv that satisfies w(v) h2 am.

2. (contrast) for anys [ C1, the operation of anyk out ofthe n rows of s is a vectorv that satisfies w(v) ! h.

3. (security) for any i1 , i2 , , it in{1, 2, . . . , n} witht, k, the two collections of t m matrices Dj, j 0, 1,obtained by restricting each n m matrix in Cj, j 0, 1,to rows i1, i2, . . . , it, are indistinguishable in the sense thatthey contain the same matrices with the same frequencies.

Note: in the above definition,

1. v is the resulting vector of the restricted k out of the n rowsunder the operation . The notation stands for theoperation OR or XOR for the black and white VCS, andfor colour VCS, the underlying operation of this study willbe defined in Section 2.4.

2. m is the pixel expansion of the scheme.

3. a is called the contrast of the scheme.

In Definition 1, the first two contrast conditions ensurethat the stacking of

kout of

nshares can recover the secret

image. The security condition ensures that, any less than kshares cannot obtain any information about the secretimage other than its size.

We consider VCS where C0 and C1 are constructed from apair of n m matrices M0 and M1, which are called basismatrices. The set Ci(i 0, 1) consists of the m! matricesobtained by applying all permutations to the columns of

Mi. This approach of VCS construction will have smallmemory requirements (it only keeps the basis matrices) andhigh efficiency [to choose a matrix in C0(resp. C1), it onlyneeds to generate a permutation of the basis matrix].

In this paper, we denote P(Mi) as a random columnpermutation of Mi. We will use the basis matrices tosimplify the discussions.

2.3 Definition of EVCS

In general, a (k, n)-EVCS takes a secret image and n originalshare images as inputs, and outputs n shares that satisfy thefollowing three conditions: first, any k out of n shares canrecover the secret image; secondly, any less than k sharescannot obtain any information about the secret image other

than the size of the secret image; and thirdly, all the sharesare meaningful images. Besides, a colour (k, n)-EVCSshould fulfil the condition that the secret image, the



www.ietdl.org



4/15

original share images, the shares and the recovered secretimage are all colourful.

Because all the constructions of colour EVCS of this studytake their corresponding black and white EVCS as buildingblocks, in this section, we will give some definitions about

the black and white EVCS. Note that, for the black andwhite EVCS, the colour of a pixel only has two possiblevalues black and white.

We denote Cc1;...;cnc as the collections of matrices fromwhich the dealer chooses a matrix to encrypt, wherec, c1, . . . , cn [ {1, 0}. For i 1, . . . , n, ci is the colour ofthe pixel on the ith original share image, and c is the colourof the secret image. Hence, to realise a black and white (k,n)-EVCS, we have to construct 2n pairs of such collections(C

c1;...;cn0 , C

c1;...;cn1 ), one for each possible combination of

white and black pixels in the n original share images. A

black and white (k, n)-EVCS is defined as follows.

Definition 2 ([1]): A family of 2n pairs of collectionsof n m0 binary matrices {(C

c1 ,...,cn0 , C

c1 ,...,cn1 )}c1 ,...,cn[{1,0},

constitute a black and white (k, n)-EVCS if there existvalues aF(. 0), aS(. 0) and h satisfying:

1. (contrast) for anyM[ Cc1;...;cn0 , the operation of any k

out of n rows of M is a vector v that satisfiesw(v) (h aFm

0), and for any M[ Cc1;...;cn1 , we have

w(v) ! h.

2. (security) for any i1

, i2

, , it

in{1, 2, . . . , n} witht, k, the two collections of t m0 matrices Dc1 ,...,cnj , j0, 1, obtained by restricting each n m0 matrix in C

c1;...;cnj

to rows i1, i2, . . . , it, are indistinguishable in the sense thatthey contain the same matrices with the same frequencies.

3. (contrast) after the original share images are encrypted,the shares are still meaningful. Formally, for anyi[ {1, 2, . . . , n} and any c, c1, . . . , ci1, ci1, . . . , cn[ {0, 1},

with the ith row ofM denoted as M[i], we have

minM[M1

w(M[i]) maxM[M0

w(M[i])!aSm0

where

M1 [

c,c1 ,...,cn[{0,1}

Cc1,...,c(i1)1c(i1),...,cnc and

M0 [

c,c1 ,...,cn[{0,1}

Cc1,...,c(i1)0c(i1),...,cnc

In the above Definition 2, m0 is the pixel expansion of theblack and white (k, n)-EVCS. aF and aS are the contrastof the recovered secret image and that of the shares,respectively.

Similarly, as discussed in Section 2.2, we consider EVCSwhere Cc1,...,cnc (c, c1, . . . ,cn [ {0, 1}) are constructed from the

n m0 basis matrices Sc1 ,...,cnc . The set Cc1 ,...,cnc consists of

the m0! matrices obtained by applying all permutations tothe columns of Sc1 ,...,cnc . Denote P(S

c1 ,...,cnc ) as a random

column permutation ofSc1 ,...,cnc .

In Definition 2, the first and second conditions correspond

to the contrast and security conditions of Definition 1, andthe third condition implies that the original share imagesare not modified, that is, after we encrypt the n originalimages by using the 2n pairs of collections{(C

c1,...,cn0 , C

c1 ,...,cn1 )}, where c1, . . . , cn [ {0, 1}, the

encrypted shares are still meaningful.

Naor and Shamir first mentioned a simple example of blackand white EVCS in [1], that is, each share carries a meaningfulimage rather than a noise image. Droste [19] proposed a newblack and white EVCS that not only encrypts the shares withmeaningful images but also decrypts different secret images by

stacking different combinations of shares. Ateniese et al. [20]have formalised the framework of black and white EVCS forgeneral access structures. All of the above schemes are underthe visual cryptography model of Naor and Shamir that is,under the operation OR. However, for the general black and

white (k, n)-EVCS under the visual cryptography model ofTuyls [2, 3], that is, under the operation XOR, there are nosuch constructions. In Section 4.2, we propose a black and

white (k, n)-EVCS under the XOR operation that is underthe visual cryptography model of Tuyls. Also, based on theblack and white (k, n)-EVCS, we propose a colour (k, n)-EVCS under the visual cryptography model of Tuyls inSection 4.3.

2.4 Basic principles of colour models

The additive and subtractive colour models are widely used todescribe the constitutions of colours. In the additive colourmodel, the three primary colours are red, green and blue(RGB), with desired colours being obtained by mixingdifferent RGB channels. By controlling the intensity of red(resp. green or blue) channel, we can modulate the amountof red (resp. green or blue) in compound light. The morethe mixed-coloured light, the more is the brightness of thelight. Mixing the red, green and blue channels of equal

intensities, results in white colour light. The computerscreen is a good example of the additive colour model. Inthe subtractive colour model, the colour is represented byapplying the combinations of coloured light reflected fromthe surface of an object (because most objects do not radiateby themselves). For example take an apple under naturallight; the surface of the apple absorbs the green and blueparts of the natural light and reflects the red light to humaneyes and, thus, it becomes a red apple. By mixing cyan (C)

with magenta (M) and yellow (Y) pigments, we canproduce a wide range of colours. The more the pigmentadded, the lower is the intensity of the light is, and thus the

darker is the light. This is why it is called the subtractivemodel. C, M and Y are the three primitive colours ofpigment, which cannot be composed from other colours.



www.ietdl.org



5/15

In the computer, a natural colour image can be divided intothree colour channels: red, green and blue (or equivalentlycyan, magenta and yellow), and each channel will constitutea grey-level image, where each pixel can be represented by abinary value of 8 bits. Denote x(p,q) [x(p,q)1, x(p,q)2, x(p,q)3]as the colour of a pixel located at the position (p, q) of a

colour image of size K1 K2 for p 1, 2,. . .

, K1 andq 1, 2, . . . , K2. Let t describe the colour channel (e.g.t 1 for red, t 2 for green and t 3 for blue) and thecolour component x(p,q)t is coded with a binary value of8-bits allowing x(p,q)t to be an integer value between 0 and282 1 255 and, hence, the colour of the pixel x(p,q) canbe expressed in a binary form as follows

x(p,q) X8i1

xi(p,q)2

8i

where xi(p,q) [xi(p,q)1, x

i(p,q)2, x

i(p,q)3] [ {0, 1}

3 denote the

binary vector at the ith bit-level, with i 1 denoting themost significant bit and i 2 denoting the second mostsignificant bit. In such a way, a natural colour image isdivided into 24 binary images.

By the grey level of a pixel, we mean the darkness of thepixel appears for each colour channel. In this study, wedivide the distance between a black and a white pixel, foreach colour channel, into 256 grey levels. Define the greylevel 0 for a complete white pixel, and the grey level 255 fora complete black pixel. Note that this definition of black and

white pixels is just the opposite to their traditional

definitions on computer. Under this definition, the 1s and0s in the binary representation of the grey level correspondto black and white bits, respectively, which is consistent withtheir traditional definitions in visual cryptography.

Because we divide 256 grey levels for each colour channel,each colour channel can be expressed by a binary vector of8 bits. To construct such a colour VCS, different bit-levelsshould be assigned with different grey levels in order torepresent the target colour (grey level). For example, we canprint a pixel with a grey level a1 for the most significant bit,and a2 for the second most significant bit under the visualcryptography model of Naor and Shamir. For the VCS

under the visual cryptography model of Tuyls, we rotatethrough an angle (a1/256 . p/2) for the most significant bit,and through (a2/256 . p/2) for the second most significantbit and so on, where ai[ [0, 255], for i[ f1, . . . , 8g.

Then, we show the principles of the coloursuperimposition for the visual cryptography model of Naorand Shamir and those of Tuyls, respectively. To simplifythe discussion, we take one colour channel as an example.

First, for the visual cryptography model of Naor andShamir, the basic principle of the colour by superimposing

two pixels is defined as follows: for a pixel with a greylevel ai and a pixel with a grey level aj, the grey level ofthe result pixel by stacking the two pixels will be

(2552 ((2552 ai)(2552 aj)/255)). This definition ofcolour superimposition is widely accepted: see the examplesin [5]. (Note that our representation of that grey level ofthe resulting pixel is different from that in [5], the reasonbeing that we define the grey level 255 as the black pixeland grey level 0 as the white pixel, whereas the definition

in [5] is just the opposite. It is easy to verify that ourrepresentation is equivalent to that in [5]).

Secondly, for the visual cryptography model of Tuyls, thebasic principle of the colour by superimposing the shares isdefined as follows: for a pixel with a grey level ai and apixel with a grey level aj, which are realised by rotating theangles (ai/256 . p/2) and (aj/256 . p/2) for the first andthe second LC layers, respectively, the grey level of thesuperimposition of the two pixels will be ai aj, which isrealised by rotating through an angle (ai aj)=256 p=2.

2.5 Multi-pixel encryption methodIn most cases, the encryption of the VCS causes theexpansion of the shares, which will lower the resolution ofthe recovered secret image and enlarge the storage of theshares. Ito et al. [21] and Yang [22] propose a method thatencrypts a pixel by randomly choosing a column in thebasis matrix; this method results in no pixel expansion.Unfortunately, the recovered secret image appears to be aclutter; many noise-like pixels appear in the recoveredsecret image. To mitigate this phenomenon, Hou and TUproposed a new method in [7], which encrypts a block ofm pixels at a time. This method results in no pixel

expansion and has a better visual effect in the recoveredsecret image than the method in [21, 22]. In this paper, wemake use of the multi-pixel encryption method to reducethe pixel expansion of our colour VCS.

Denote M0 and M1 as the n m basis matrices for a blackand white (k, n)-VCS, which satisfy Definition 1. Denote bas the number of the black pixels in a block of m pixels.Denote eb as the number of blocks, with b black pixels,

which have already been encrypted. The multi-pixelencryption method of [7] encrypts a block of m pixels at atime and can be described as follows:

2.5.1 Algorithm 1 ([7]): Input:The secret image and thebasis matrices for a black and white (k, n)-VCS, M0 and M1,

which have pixel expansion m.

Output: The shares Si for i 1, . . . , n.

Step 1: Seteb 0 for b 1, 2, . . ., m;

Step 2: Pick up a block of m pixels, p1, p2, . . . , pm, in thesecret image, and denote b as the number of black pixelsamong them;

Step 3: Put the m sub-pixels in the ith row of P(M) to thecorresponding positions of p1, p2, . . . , pm in the ith share



www.ietdl.org



6/15

for i 1, . . . , n, where P(M) is a random columnpermutation ofMand the basis matrixMis decided as follows

if eb mod m , b then MM1else M M0

Step 4: Seteb eb 1;

Step 5: RepeattheSteps2,3and4untilallthepixelsofthesecretimage are encrypted and output the n shares Sifori 1, . . . , n.

For a block ofm pixels that have bblack pixels, Algorithm 1showsamethodtoencryptthesem pixels withthe basis matricesM0 and M1, where M0 contributes with a probability of b/mand M1 contributes with a probability of (m2 b)/m exactly.By such a method, the recovered secret image has a better

visual effect than the scheme in [21]; the experimental resultsabout the multi-pixel encryption can be found in [7]. An

example of Algorithm 1 can be found in Example 1.

The security of the multi-pixel encryption method hasbeen proved by Hou and Tu [7]; we refer to their result bythe following theorem:

Theorem 1 ([7]): Algorithm 1 generates n shares Sifor i 1, . . . , n, where less than k out of these n sharescannot obtain any information about the secret image otherthan the size of the secret image.

Proof: According to Algorithm 1, each block ofm pixels in

the secret image is encrypted by eitherP(M0) or P(M1), andbecause M0 and M1 are the basis matrices of a black and

white (k, n)-VCS, which satisfies the security condition ofDefinition 1, i.e. given any less than k shares, then itcannot tell whether a block of m pixels in the secret imageis encrypted by P(M0) or P(M1), as both are equally likely.Hence the conclusion of the theorem follows. A

Note that the multi-pixel encryption is a method to reducethe pixel expansion while maintaining better visual effect.However, for the encryption of a single pixel, the generatedshares do not satisfy the contrast conditions of Definition 1since a white pixel may occasionally be wrongly representedby a black pixel and vice versa.

3 Colour VCS and colour EVCSunder the visual cryptographymodel of Naor and Shamir

Usually, a colour visual cryptography model has large pixelexpansion. In this section, we propose a construction ofcolour (k, n)-VCS and a construction of colour (k, n)-EVCSunder the visual cryptography model of Naor and Shamir.For the proposed colour (k, n)-VCS, the advantages of the

scheme are as follows: it takes a natural image as input, whichdo not need the halftone process, and has no pixel expansion.For the proposed colour (k, n)-EVCS, the advantages of this

scheme are as follows: it realises the colour (k, n)-EVCS withpixel expansion m0 for general access structures and does notrequire the halftone process (recall that m0 is the pixelexpansion of the corresponding black and white (k, n)-EVCS).

Construction 1 below constructs the colour (k, n)-VCS by

Steps 1, 2, 3 and 4, and constructs the colour ( k, n)-EVCS bySteps 10, 20, 3 and 4:

Construction 1: Constructions of the colour (k, n)-VCS andthe colour (k, n)-EVCS under the visual cryptographymodel of Naor and Shamir:

Setup: Denote the n m matrices M0 and M1 as the basismatrices of a corresponding black and white (k, n)-VCSunder the visual cryptography model of Naor and Shamir.Denote the n m0 matrices Mc1,...,cnc as the basis matricesof a corresponding black and white (k, n)-EVCS under the

visual cryptography model of Naor and Shamir, wherec, c1, . . . , cn [ {0, 1}. Denote aj as the grey level of 1s atbit-level j, j[ f1, 2, . . . , 8g.


Step 1: Represent the grey levels of each colour channel (C, Mand Y, respectively) of all the pixels in the secret image by

vectors of 8 bits, that is, the secret image is divided into8 bit-levels and each bit-level forms a binary image.

Step 10: Represent the grey levels of each colour channel (C, M

and Y, respectively) of all the pixels in the secret image (resp.the n original share images) by vectors of 8 bits, that is, thesecret image (resp. the n original share images) is dividedinto 8 bit-levels and each bit-level forms a binary image.

Step 2: For each bit-level jand each colour channel, choose ablock ofm pixels in the binary secret image, and encrypt the mbits by applying Algorithm 1 for the colour channels C, M and

Y and bit-levels j[ {1, 2, . . . , 8}, respectively, in whichreplace the 1s in M0 orM1 by the grey level aj and leave the0s intact.

Step 20: For each bit-level jand each colour channel, encrypt a

bit byP(Mc1 ,...,cnc ) for the colour channels C, M and Y and bit-levels j[ {1, 2, . . . , 8}, respectively, in which P(Mc1 ,...,cnc ) is arandom column permutation ofMc1 ,...,cnc and replace the 1s inP(Mc1 ,...,cnc ) by the grey level ajand leave the 0s intact.

Step 3: Repeat the steps 1 and 2 (resp. 10 and 20) until all thepixels in the secret image have been encrypted. Then, weobtain the shares s1i,t, s

2i,t, . . . , s

8i,t where i[ {1, 2, . . . , n},

t[ {C, M, Y} and the share sji,t is denoted as the share forthe participantiat the bit-level jfor the colour channel t.

Step 4: Each participantiis distributed with a share Si, where

Si is generated by stacking the shares at the different bit-levelsand of the different colour channels s1i,C, s2i,C, . . . , s

8i,C, s

1i,M,

s2i,M, . . . , s8i,M, s

1i,Y, s

2i,Y, . . . , s

8i,Y for i[ {1, 2, . . . , n}.



www.ietdl.org



7/15

In Construction 1, Steps 1 and 10 divides the secret image(resp. the n original shares images) into 8 bit-levels and threecolour channels. In fact, the colour images stored in thecomputer, such as the bitmap image file, are of this format.

Then, in Steps 2, 20 and 3, we encrypt each bit-level andcolour channel, respectively. More specifically, when we

encrypt the binary secret image at bit-level j by applyingthe corresponding black and white (k, n)-VCS, for the bit-level j, we print pixels with grey level aj for the 1s ofM0,M1 and M

c1,...,cnc , and leave the pixel intact for the 0s of

M0, M1 and Mc1,...,cnc . Then, we construct 24 shares in total

for each participant, that is, the shares s1i,C, s2i,C, . . . , s

8i,C,

s1i,M, s2i,M, . . . , s

8i,M, s

1i,Y, s

2i,Y, . . . , s

8i,Y. The final shares for

the participants are constructed by superimposing the 24shares in Step 4. One can easily observe that shares at thebit-level j can recover the jth binary image (bit-level) of thesecret image visually. Thus, by superimposing the shares ofall the bit-levels, the original secret image appears visually

with all the bit-levels.

We need to point out that, taking the characteristic of thehuman visual system into consideration, the dealer does notneed to generate all the shares for all the bit-levels, sincethe information about a higher bit-level is not as importantas that of a lower bit-level for the human visual system,that is, the dealer only generates the shares for several lowerbit-levels in the practical sense. In Examples 1 and 3, weonly generated the shares for the most and second mostsignificant bit-levels.

In Step 2, Algorithm 1 encrypts a block of m pixels at atime by using the m columns of the basis matrices, whichresults in no pixel expansion. For general colour (k, n)-VCS, one can make use of the basis matrices of thecorresponding black and white (k, n)-VCS proposed in[1, 19, 23] and so on.

In Step 20, because the encryption uses the n m0 basismatrix Mc1,...,cnc , this later scheme results in the pixelexpansion m0, that is, the same as that of the correspondingblack and white EVCS. For general colour (k, n)-EVCS,one can make use of the basis matrices of the correspondingblack and white (k, n)-EVCS proposed in [19, 20].

As for the security of Construction 1, according toDefinitions 1 and 2, and Theorem 1, we have the followingtheorem:

Theorem 2: Construction 1 generates n shares Si fori 1, . . ., n, where less than k out of n shares cannot getany information about the secret image other than the sizeof the secret image.

Proof: In Construction 1, the corresponding black and white(k, n)-VCS and (k, n)-EVCS are used to encrypt the secret

bits at each bit-level and each colour channel, respectively,that is, for a particular bit-level j (1 j 8) and a colourchannel X (X C, M, Y), the shares s

j1,X, s

j2,X, . . . , s

jn,X

constitute a black and white (k, n)-VCS. Because of thesecurity conditions of Definitions 1 and 2 and Theorem 1,any less than k out of n shares cannot obtain anyinformation about the secret image other than the size of thesecret image on the bit-level j and colour channel X, andthey cannot get any information about the secret image for

other bit-levels and colour channels either, since theconstruction of the shares s

j1,X, s

j2,X, . . . , s

jn,X is irrelevant

to the information about the secret image on those bit-levelsand colour channels. By applying the above discussions to allthe bit-levels and colour channels, we have that any less thank out ofn shares cannot get any information about the secretimage other than the size of the secret image. A

For the colour VCS under the visual cryptography modelof Naor and Shamir, the 0s in the transparencies for allbit-levels are intact (i.e. with grey level 0), and the 1s forthe bit-level j is assigned with grey level aj. Hence, the

distance between the 0s and 1s for bit-level j is aj. Thelarger the value of aj, the more apparent is the differencebetween black and white pixels at bit-level j. For two bit-levels i and j, where i,j, they should satisfy ai. aj. Forexample, the grey levels of the most and second mostsignificant bits a1 and a2 should satisfy a1 . a2, and thelarger the value of (a12 a2), the more apparent the mostsignificant bits appear in the recovered secret image, and

vice versa. Hence, for different types of secret images, thedealer should choose the grey levels carefully for differentapplications.

An example of Construction 1 is as follows:

Example 1: For the construction of a colour (2, 2)-VCS byConstruction 1: let the basis matrices used in Algorithm 1 ofthe corresponding black and white (2, 2)-VCS be

M0 1010

!and M1

1001

!, where the pixel expansion

is m 2. To simplify the example, we take a secret imagewith only two bit-levels as example, that is, each pixel onlyhas the most and second most significant bits for each colourchannel. In such case, the grey levels of each colour channelonly have the four values 192, 128, 64 and 0. Let theparameters of Algorithm 1 be e0 0, e1 0 and e2 0 for

the most significant bit-level and e00 0, e01 0 and e02 0for the second most significant bit-level. We take theencryption of a block of 2 pixels with the grey levels 192 and128 as example. We come to know that the most significantbits of the two pixels are 1, 1. Because (e2 mod m) (0 mod2) 0, 2, we encrypt the two bits by P(M1), where wereplace the 1s in M1 by the grey level a1 and leave the 0s inP(M1) intact; then, we set e2 1. Then, the second mostsignificant bits are 1, 0. Because (e1

0 mod m) (0 mod1) 0, 1, we encrypt the two bits by P(M1), where wereplace the 1s in M1 by the grey level a2 and leave the 0s inP(M1) intact; then, we set e

01 1. By encrypting all the

blocks in the secret image, we obtain six shares for eachparticipant i as S1i,C, S2i,C, S

1i,M, S

2i,M, S

1i,Y and S

2i,Y. By

stacking the six shares, we obtain the final share Si for



www.ietdl.org



8/15

participanti. Fig. 1 shows the experimental results of the colour(2, 2)-VCS, where we set the grey levels a1 128 and a2 64.

Similarly, for the construction of colour (2, 2)-EVCS byConstruction 1: let the basis matrices of the corresponding

black and white (2, 2)-EVCS be the second example inExample 2 in Section 4.2, where the pixel expansion is4. Also, let the secret image and the original share imagesonly have two bit-levels for each colour channel. For theencryption of a pixel where the grey levels of the secret imageand the two original share images are 192, 128 and 64, themost significant bits of the pixel in the three images are 1, 1,0. Hence, we encrypt the most significant bit of this pixel byP(S1

10). Similarly, we encrypt the second most significantbits of this pixel by P(S1

01), where we replace the 1s inP(S1

10) and P(S101) by the grey levels a1 and a2, respectively.

By encrypting all the pixels in the secret image, we obtainsix shares for each participant i as S1i,C, S

2i,C, S

1i,M,

S2i,M, S1i,Y and S2i,Y. By stacking the six shares, we obtain thefinal share Si for participanti. Fig. 2 shows the experimentalresults of the colour (2, 2)-EVCS, where we set the greylevels a1 180 and a2 65.

Under the ideal subtractive colour model, the stacking ofthe qualified colour shares can recover the secret image

visually. However, such an ideal subtractive colour mixtureis impractical because of the properties of the ink. To

alleviate this phenomenon, we propose to divide the colourinto three channels C, M and Y, and print each channel ofthe colour on adjacent pixels, respectively. Superimpositionof the same colour channel results in better visual effect.However, this method will expand the output images threetimes.

4 Colour VCS and colour EVCSunder the visual cryptographymodel of Tuyls

In Sections 4.1 and 4.2, we first propose a black and white(k, n)-VCS and a black and white (k, n)-EVCS under the

XOR operation as primary building blocks for our furtherconstructions. Based on that, we then propose a colour(k, n)-VCS and a colour (k, n)-EVCS under the visualcryptography model of Tuyls, where both of the colour

schemes do not require the halftone process and have thesame pixel expansion of their corresponding black andwhite (k, n)-VCS and (k, n)-EVCS, respectively.

4.1 Black and white (k, n)-VCS under thevisual cryptography model of Tuyls

Droste [19] proposed an algorithm to construct (k, n)-VCSunder the OR operation, that is, under the visualcryptography model of Naor and Shamir. In this section,

we will prove that the basis matrices constructed by thatalgorithm is also a (k, n)-VCS under the XOR operation,that is under the visual cryptography model of Tuyls.

Drostes algorithm can be described as follows.

First, we give a sub-routine ADD(p, M) which is used toadd each restriction of k rows of a matrix M every column

with p 1s by adding columns to the entire matrix M,where a matrix is considered as a collection of columns.

ADD(p,M): 1: Ifp k2p, add all the columns with qp1s to M, that is, the number of columns of M is increasedby nq

.

2: Ifp! k p, add all the columns with q p n k 1s to

M, that is, the number of columns ofMis increased by nq

.

The sub-routine ADD(p, M) makes it easy to constructbasis matrices M0(resp. M1) whose restrictions to k rowsalways contain every even (resp. odd) column (an evencolumn is a one that contains even number of 1s; an oddcolumn is one that contains odd number of 1s). Whenevery even (resp. odd) column is removed once from everyrestriction of M0 (resp. M1), the remaining columnsmaintain the same, i.e., those remaining columns areunchanged regardless which k rows are restricted, and

whether they are from M0 or M1. Hence, the remaining

columns of every restriction of M0, which are notremaining columns of every restriction of M1, called therest ofM0, have to be added to every restriction ofM1 and

Figure 1 Experimental results of the colour (2, 2)-VCS with

no pixel expansion under the visual cryptography model of

Naor and Shamir

a Original secret imageb Resulting image by superimposing Figs. 1c and 1d

c Encrypted sharesd Encrypted sharesSize of the secret image is 256 256



www.ietdl.org



9/15

vice versa. In most cases, these added columns will create new

rests which cause new columns to be added. The algorithmhas the following form:

4.1.1 Algorithm 2 ([19]): Input: The parameters k andn, and two empty basis matrices M0 and M1, where thebasis matrices M0 and M1 are considered as collections ofcolumns;

Output: The basis matrices M0 and M1 for a (k, n)-VCS;

Step 1: For all even p[ {0, . . . , k}, call ADD(p, M0);

Step 2: For all odd p[ {0,. . .

, k}, call ADD(p, M1);

Step 3: While the rests ofM0 and M1 are not empty:

(a) Add to M0 all columns adjusting the rest ofM1 by callingADD.

(b) Add to M1 all columns adjusting the rest ofM0 by callingADD.

Execute the Step 3 until the rests of M0 and M1 are empty.

Then, we show that Algorithm 2 also generates a (k, n)-VCS under the XOR operation, that is under the visualcryptography model of Tuyls.

Theorem 3: Algorithm 2 generates the basis matrices of a(k, n)-VCS, M0 and M1, under the XOR operation.

Proof: We need to prove that the basis matrices M0 and M1satisfy the contrast and security conditions of Definition 1.

First, for the contrast condition, we need to prove that theHamming weight of the stacking (XOR operation) of any kout ofn rows ofM0 is less than that ofM1.

Denote M0k(resp. M1

k) as the sub-matrix generated byrestricting to arbitrary k rows ofM0(resp. M1). Accordingto the Steps 1 and 2 in Algorithm 2, it is clear that all the

even (resp. odd) columns appear in Mk0(resp. Mk1). DenoteI

k0(resp. I

k1) as the matrix whose columns are all the even

(resp. odd) columns of length k. Because Algorithm 2terminates when the rests of M0 and M1 are empty, atimplies that the remaining columns ofM0 and M1 are thesame, that is, Mk0nI

k0 M

k1nI

k1. Denote R as the remaining

columns of M0 and M1, we have Mk0 I

k0 < R and

Mk1 I

k1 < R. Because the XOR (operation) of the entries

of an even (resp. odd) column is 0 (resp. 1), we have thatthe Hamming weight of the stacking (XOR operation) ofthe rows of Mk0 is less than that of M

k1. Hence, the

contrast condition is satisfied.

Secondly, for the security condition, we need to provethat the sub-matrices of any less than k rows of M0 and

Figure 2 Experimental results of the colour (2, 2)-EVCS with pixel expansion of 4 under the visual cryptography model of Naor

and Shamir

a Original two share imageb Original two share imagec Original secret imaged Encrypted sharese Encrypted sharesf Resulting image by superimposing the shares Figs. 2d and 2eSize of the secret image is 200 200



www.ietdl.org



10/15

M1 have the same columns, and only in such a case, allthe column permutations of the two sub-matrices willgenerate the same collection, that is, the security conditionis satisfied.

Denote Mt0(resp. Mt1) as the sub-matrix generated by

restricting to arbitrary t rows of M0(resp. M1), wheret, k. Denote Mk0(resp. M

k1) as the sub-matrix generated

by concatenating Mt0(resp. Mt1) and arbitrary k2 t

rows chosen from the remaining rows of M0(resp. M1)(other than the rows in Mt0 and M

t1). As discussed above,

we have Mk0 Ik0 < R and M

k1 I

k1 < R, where I

k0(resp.

Ik1) is the matrix that contains all the even (resp. odd)

columns of length k. Note that Ik0 and Ik1 are the basis

matrices of a (k, k)-VCS proposed in [1, 19]. We have thatthe sub-matrices generated by restricting to any t rows ofI

k0 and I

k1 have the same columns. Hence, the sub-matrices

generated by restricting to any t rows ofMk0 and Mk1 have

the same columns, that is, the security condition issatisfied. A

4.2 Black and white (k, n)-EVCS under thevisual cryptography model of Tuyls

In this section, we propose a black and white (k, n)-EVCSunder the visual cryptography model of Tuyls, that is underthe XOR operation, as follows:

Algorithm 3: Denote Sc1;...;cnc as the basis matrix for that then original share images have colourc1; . . . ; cn and the secretimage has colour c for c

1

; . . . ; cn, c[ {0, 1}. Denote the

binary matrices M0 and M1 as the basis matrices of ablack and white (k, n)-VCS under the operation XOR,

where all the rows of M0(resp. M1) have the sameHamming weight. Denote a as its contrast and m as itspixel expansion.

Step 1: Construct an n l matrix D as follows (lis an integersatisfying 1 l , am):

For i 1 to n do

{

If ci

1 then setall the entries of row i inD

to 1:

Else setall the entries of row i in D to 0:

}

Step 2: The basis matrices Sc1;...;cnc are obtained byconcatenating the matrix D with M0 and M1 that is

Sc1;...;cnc

[M0, D], if c 0[M1, D], if c 1

&

where the notation [M, D] means the concatenation of thetwo matrices M and D.

It is easy to verify that the above construction generates ageneral black and white (k, n)-EVCS under the operation

XOR, and the basis matrices M0 and M1 can be the basismatrices constructed in Section 4.1 and [24]. Ifa . m 1holds, then, we can replace M0 and M1 by the matrices[M0, M0] and [M1, M1], respectively. Note that, the basismatrices generated in Section 4.1 always satisfy am . 1;hence, we can let l 1 for any access structure. In fact,

Algorithm 3 is not restricted to threshold EVCS only; itcan be applied to the general access structure EVCS giventhatM0 and M1 are the basis matrices of the general accessstructure VCS. Because of the lack of VCS for the generalaccess structure, this paper only considers the thresholdaccess structure for the case of EVCS. However, if such aVCS of the general access structure exists, then ourapproach can be applied to generate the correspondingEVCS under the operation XOR directly.

Formally, we have the following theorem:

Theorem 4: Algorithm 3 generates the basis matricesS

c1;...;cnc for a black and white (k, n)-EVCS under the

operation XOR, where c, c1; . . . ; cn [ {0, 1}.

Proof: We need to prove that the basis matrices Sc1;...;cncsatisfy the three conditions of Definition 2.

For the condition 1 of Definition 2: according toAlgorithm 3, the pixel expansion of Sc1;...;cnc is m

0 m l.

Because M0 and M1 are basis matrices of thecorresponding VCS, we have that the Hamming weight ofthe stacking results of any k out of n rows ofS

c1...cn

0

[M

0,D

] is at most h a

m

l and that ofSc1...cn1 [M1, D] is at leasth. Hence

aF (h) (h am l)

m l

(am l)

m l. 0

For the condition 2 of Definition 2: because M0 and M1 arebasis matrices of the corresponding (k, n)-VCS, and S

c1;...;cn0

and Sc1;...;cn1 are generated by concatenating the same matrix

D to M0 and M1, and noting thatCc1;...;cn0 and C

c1;...;cn1 are

the collections of all the permutations of Sc1;...;cn0 and

Sc1;...;cn1 , respectively, C

c1;...;cn0 and C

c1;...;cn1 satisfy the security

condition 2 of Definition 2.

For the condition 3 of Definition 2: because all the rowsof M0(resp. M1) have the same Hamming weight, byconcatenating the matrix D, the difference between a whitepixel and a black pixel in the share image is l and, hence,aS l=(m l) . 0.

In light of the above discussion, the theorem is proved. A

Two examples of black and white EVCS for the (2, 2)access structure are as follows ( for operations XOR andOR, respectively):

Example 2: The first example is a black and white (2, 2)-EVCS under the visual cryptography model of Tuyls, that



www.ietdl.org



11/15

is under the operation XOR

S100

101100

!S

101

101010

!S

110

101101

!S

111

101011

!

S000

100

100 ! S

001

100

010 ! S

010

100

101 ! S

011

100

011 !

The second example is a black and white (2, 2)-EVCS underthe visual cryptography model of Naor and Shamir that isunder the operation OR

S100

11011001

!S

101

11011010

!S

110

11011101

!S

111

11011110

!

S000

01011001

!S

001

10100101

!S

010

10101011

!S

011

10100111

!

4.3 Colour VCS and colour EVCSunder the visual cryptography modelof Tuyls

The visual cryptography model of Tuyls is interesting for thereasons of good resolution, contrast and colour properties.

The colour (n, n)-VCS on this visual cryptography modelcan recover the secret image perfectly. However, there is noknown colour VCS for general (k, n)-VCS, not to mentionthe colour EVCS under this visual cryptography model. In

this section, we propose the constructions of colour VCSand colour EVCS under the visual cryptography model ofTuyls.

The following construction constructs the colour (k, n)-VCS by Steps 1, 2, 3 and 4, and constructs the colour(k, n)-EVCS by Steps 10, 20, 3 and 4:

Construction 2: Constructions of the colour (k, n)-VCS andthe colour (k, n)-EVCS under the visual cryptographymodel of Tuyls:

Setup: Denote the n m matrices M0 and M1 as the basis

matrices of a corresponding black and white (k, n)-VCSunder the visual cryptography model of Tuyls, and denotethe n m0 matrices Mc1,...,cnc as the basis matrices of acorresponding black and white (k, n)-EVCS under the

visual cryptography model of Tuyls, where c, c1, . . . ,cn [ {0, 1}. Denote aj as the grey level of 1s and bj as thegrey level of 0s at bit-level j.


Step 1: Represent the grey levels of each colour channel(R, G and B, respectively) of all the pixels in the secret

image by vectors of 8 bits, that is, the secret image isdivided into 8 bit-levels, and each bit-level forms a binaryimage.

Step 10: Represent the grey levels of each colour channel(R, G and B, respectively) of all the pixels in the secretimage (resp. the n original share images) by vectors of8 bits, that is, the secret image (resp. the n original shareimages) is divided into 8 bit-levels, and each bit-level formsa binary image.

Step 2: For each bit-level jand each colour channel, encrypt abit byP(M0) and P(M1) for the colour channels R, G and Band bit-levels j[ {1, 2, . . . , 8}, respectively, where P(M0),P(M1) are the random column permutations of M0, M1,and replace the 1s in P(M0), P(M1) by the grey level ajand the 0s by the grey level bj.

Step 20: For each bit-level jand each colour channel, encrypt abit byP(Mc1 ,...,cnc ) for the colour channels R, G and B and bit-levels j[ {1, 2, . . . , 8}, respectively, where P(Mc1 ,...,cnc ) is arandom column permutation ofMc1,...,cnc , and replace the 1s

in P(Mc1 ,...,cnc ) by the grey level aj and the 0s by the grey

level bj.

Step 3: Repeat the steps 1 and 2 (resp. 1 0 and 20) until all thepixels in the secret image have been encrypted. Then, weobtain the shares s1i,t, s

2i,t, . . . , s

8i,t where i[ {1, 2, . . . ,

n}, t[ {R, G, B}, and the share sji,t is denoted as theshare for the participant i at the bit-level j for the colourchannel t.

Step 4: Each participant i is distributed with a share Si,where Si is generated by stacking the shares at thedifferent bit-levels and of the different colour channelss1i,R, s

2i,R, . . . , s

8i,R, s

1i,G, s

2i,G, . . . , s

8i,G, s

1i,B, s

2i,B, . . . , s

8i,B for

i[ {1, 2, . . . , n}.

Construction 2 looks similar to Construction 1, except thedifferences in the colour channels and the basis matrices M0,M1 and M

c1 ,...,cnc . However, Construction 1 cannot be applied

properly under the visual cryptography model of Tuyls,because of the differences on choosing the values of thegrey levels, which is caused by the different colour model.For the case of the construction of the colour VCS underthe visual cryptography model of Naor and Shamir, weonly need to choose the grey levels for the 1s of each bit-

level, and leave the pixels of the 0s intact. However, for thecase under the visual cryptography model of Tuyls, we haveto choose the grey levels for both the 1s and 0s of eachbit-level j that is the values of aj and bj. We notice that, bychoosing different grey levels for the bit-levels, we willobtain the quite different visual effects. However, finding aformula to determine the proper values for aj and bj israther complicated for the general (k, n)-VCS, whichheavily depends on the contents of the secret image,the observers experiences, the access structure and theintensity function of the visual cryptography model of

Tuyls (i.e. the function Ir(a) cos2(a1 a2)) and so on.

However, some basic rules should be satisfied, for exampleas follows. First, the distance between aj and bj should belarger than the distance between aj1 and bj1, that is



www.ietdl.org



12/15

jaj bjj . jaj1 bj1j, which means that the informationabout bit-level j should be more apparent than that ofbit-level j 1. Secondly, the average intensity of a whitepixel, which contains m(m0) sub-pixels, should be largerthan that of a black pixel that is, a white pixel should belighter than a black pixel.

The values of aj and bj in Example 3 satisfy the aboverules.

In Step 2, because the encryption uses the n m basismatrices M0 and M1, this scheme results in the pixelexpansion of m that is, the same as that of itscorresponding black and white VCS. For general colour(k, n)-VCS, one can make use of the basis matrices of thecorresponding black and white VCS proposed in Section4.1 and [24] and so on.

In Step 20

, because the encryption uses the n m0

basismatrix Mc1,...,cnc , this later scheme results in a pixelexpansion of m 0 that is, the same as that of itscorresponding black and white EVCS. For general colour(k, n)-EVCS, one can make use of the corresponding basismatrices constructed in Section 2.3.

With regard to the security of Construction 2, we give thefollowing theorem about the security of the proposed colourVCS and colour EVCS.

Theorem 5: Construction 2 generates n shares Si for

i

1,. . .

, n, where less than k out of these n shares cannotget any information about the secret image other than thesize of the secret image.

Proof: In Construction 2, the corresponding black and white(k, n)-VCS and (k, n)-EVCS are applied to encrypt the secretbits at each bit-level and each colour channel, respectively,that is, for a particular bit-level j (1 j 8) and a colourchannel X (X R, G, B), the shares s

j1,X, s

j2,X, . . . , s

jn,X

constitute a black and white (k, n)-VCS. Because of thesecurity conditions of Definitions 1 and 2, any less than kout of n shares cannot obtain any information about the

secret image other than the size of the secret image on thebit-level j and colour channel X, and they cannot obtainany information about the secret image for other bit-levelsand colour channels either, since the construction of theshares sj1,X, s

j2,X, . . . , s

jn,X is irrelevant to the information

about the secret image on those bit-levels and colourchannels. By applying the above discussions for all the bit-levels and colour channels, we have that any less than k outof n shares cannot obtain any information about the secretimage other than the size of the secret image.

An example of Construction 2 is as follows.

Example 3: For the construction of colour (2, 3)-VCS byConstruction 2: let the basis matrices of the corresponding

black and white (2, 3)-VCS be M0 100100100

24

35 and

M1

100010001

2

4

3

5, where the pixel expansion is 3. To simplify

the example, we let the secret image only have two bit-levels for each colour channel. Take the encryption of apixel with a grey level 128 as example. The most andsecond most significant bits of the pixel are 1 and0. Hence, we encrypt them by P(M1) and P(M0), where

we replace the 1s and 0s of P(M1) by a1 and b1, andreplace the 1s and 0s of P(M0) by a2 and b2, respectively.By encrypting all the pixels in the secret image, we obtainsix shares for each participant i as S1i,C, S

2i,C, S

1i,M, S

2i,M,

S1i,Y and S2i,Y. By stacking the six shares, we obtain the final

share Si for participant i. Fig. 3 shows the experimentalresults of the colour (2, 2)-VCS, where we set the grey

levels a1 200, b1 0, a2 0 and b2 50.

Similarly, for the construction of colour (2, 2)-EVCS byConstruction 2: let the basis matrices of the correspondingblack and white (2, 2)-EVCS be the first example inExample 2, where the pixel expansion is 3. Let the secretimage only have two bit-levels for each colour channel. Forthe encrypting of a pixel where the grey levels of the secretimage, the first and second original share images are 192,128 and 64, the most significant bits of the pixel in the

Figure 3 Experimental results of the colour (2, 3)-VCS under

the visual cryptography model of Tuyls

a Original secret imageb Resulting image by superimposing the shares Figs. 3c and 3dc Encrypted sharesd Encrypted shares

Other shares and recovered secret image are omitted here inorder to shorten the paperSize of the secret image is 256 170



www.ietdl.org



13/15

three images are 1, 1, 0. Hence, we encrypt the most

significant bit of this pixel by P(S101 ). Similarly, we encrypt

the second most significant bits of this pixel by P(S011 ),

where we replace the 1s and 0s in P(S101 ) by the grey levelsa1 and b1 and replace the 1s and 0s in P(S

011 ) by the grey

levels a2 and b2, respectively. By encrypting all the pixels inthe secret image, we obtain six shares for each participant ias S1i,C, S

2i,C, S

1i,M, S

2i,M, S

1i,Y and S

2i,Y. By stacking the six

shares, we obtain the final share Si for participant i. Fig. 4shows the experimental results of the colour (2, 2)-EVCS,

where we set the grey levels a1 200, b1 0, a2 0 andb2 50.

5 Comparisons

In this section, we compare our constructions of colour (k, n)-VCS and colour (k, n)-EVCS with known results in theliterature. In Table 1, the comparisons are on the followingcriteria:

C1 the pixel expansion of colour (k, n)-VCS underthe visual cryptography model of Naor andShamir;

C2 the pixel expansion of colour (k, n)-EVCS underthe visual cryptography model of Naor andShamir;

C3 the pixel expansion of colour (k, n)-VCS underthe visual cryptography model of Tuyls;

C4 the pixel expansion of colour (k, n)-EVCS underthe visual cryptography model of Tuyls;

C5 whether or not the construction is based on thehalftone technique;

C6 whether or not the increase in the number of

colours of the recovered secret image willincrease the pixel expansion;

C7 whether or not the colour model of theconstruction considers the colour darkeningphenomenon during stacking of pixels with thesame colour;

C8 whether or not the recovering of the secret imagerequires the assistance of computing devices.

Remark: For the criteriaC1, C2, C3 and C4, it is clear that asmaller share is easier to carry and preserve, or requires less

memory. Hence, the pixel expansion is expected to be assmall as possible.

For the criterion C5, we need to point out that the halftonetechnique usually expands the size of the secret image anddegrades the quality of the secret image. In fact, thehalftone technique without image expansion does exist,however, in such a case, it is equivalent to pick out themost significant bits of each pixel in the secret image, andabandon all the other information about the secret image,

which results in a serious degeneration in the visual effectof the secret image.

For the criterion C6, it is worthy to point out that, if theincrease in the number of colours increases the pixel

Figure 4 Experimental results of the colour (2, 2)-EVCS under the visual cryptography model of Tuyls

a Original imageb Original imagec Original image and secret imaged Encrypted sharese Encrypted sharesf Resulting image by superimposing the share Figs. 4d and 4e



www.ietdl.org



14/15

expansion, then the recovered secret image can only have asmall number of colours in the practical sense.

For the criterion C7, it is more practical if a colour modelconsiders the phenomenon of colour darkening whenstacking the pixels with the same colour.

For the criterion C8, the beauty of the VCS is itssimplicity; hence, it is better not to rely on the assistance ofcomputing devices when recovering the secret image.

In Table 1, cis the number of colours and m and m0 are thepixel expansions of the corresponding black and white (k, n)-VCS and (k, n)-EVCS that are used as building blocks. TheN/A in the C1 column indicates that the correspondingconstructions do not provide an explicit expression tocalculate the pixel expansion for their colour (k, n)-VCS.

The in the C2, C3 and C4 columns indicates that the

corresponding criteria do not apply.

According to the above comparisons, the advantages ofour constructions can be seen as follows. First, compared withthe constructions proposed in [4, 5, 8, 10, 11, 1518], thepixel expansion of our constructions is small, ourconstructions have the ability to represent all colours, and ourcolour model considers the phenomenon of colour darkening

when stacking the pixels with the same colour, which makesour constructions more practical. Secondly, compared withthe constructions proposed in [6, 7, 9, 13], our constructionsdo not need the halftone process while maintaining a small

pixel expansion. Thirdly, compared with the constructionproposed in [9, 12], our constructions do not need theassistance of computing devices.

Furthermore, compared with the constructions in [6,9,13],our constructions can generate VCS and EVCS for general (k,n) threshold access structure, and the constructions in [6, 9,13] only generated VCS or EVCS for specific accessstructures, for example the (2, 2) and (2, n) access structure.

6 Conclusion and future workThis paper proposed a colour (k, n)-VCS under the visualcryptography model of Naor and Shamir with no pixelexpansion, a colour (k, n)-EVCS under the visualcryptography model of Naor and Shamir with pixelexpansion the same as that of its corresponding black and

white (k, n)-EVCS, a black and white (k, n)-VCS and ablack and white (k, n)-EVCS under the visual cryptographymodel of Tuyls. Based on the black and white schemes, weproposed a colour (k, n)-VCS and a colour (k, n)-EVCSunder the same visual cryptography model, where the pixelexpansions are the same as that of their corresponding

black and white (k, n)-VCS and (k, n)-EVCS, respectively.We also gave the experimental results of the proposedschemes, and we compared the proposed scheme withknown schemes in the literature.

Unfortunately, the colour EVCS proposed above all havethe disturbing phenomenon, that is, part of the informationabout the original share images may appear in the recoveredsecret image. It is hard to eradicate such a phenomenon,but it is possible to find a method to weaken it. Thischallenging problem is left as an open problem.

Another open problem is how to determine the grey levelsof the bit-levels ai and bi (i[ {1, . . . , 8}), which is quitecomplicated and depends on the different colour model,

Table 1 Comparisons with the known results in the literature

Constructions C1 C2 C3 C4 C5 C6 C7 C8

ours 1 m m m no no yes no

Cimato et al. [4] N/A no yes no no

Cimato et al. [5] cnk

2k2 no yes yes no

Hou and TU [7] 1 yes no yes no

Lukac and Plataniotis [12] m no no yes yes

Shyu et al. [15] dlog cem no yes no no

Verheul and Tilborg [16] qk1

(q ! c) no yes no no

Yang and Laih [18] cm no yes no no

Koga and Yamamoto [11] N/A no yes no no

Koga et al. [10] N/A no yes no no

Ishihara and Koga [8] N/A no yes no no

Yang and Chen [17] 1 no no no no



www.ietdl.org



15/15

the content of the secret image, the access structure, theobservers experiences and so on.

7 Acknowledgments

Many thanks to the anonymous reviewers for their valuable

comments.

This work was supported by China national 973 projectNo. 2004CB318004 and China national 863 project No.2006AA01Z423.

8 References

[1] NAOR M., SHAMIR A.: Visual cryptography. EUROCRYPT

94, 1995, (LNCS, 950), pp. 1 12

[2] TUYLS P., KEVENAAR T., SCHRIJEN G.J., STARING T., DIJK M.V.:

Security displays enabling secure communications. 1stInt. Conf. Pervasive Computing, Boppard, Germany, 2004,

(LNCS, 2802), pp. 271 284

[3] Patent with International Application No.: PCT/IB2003/000261, Secure visual message communicationmethod and device. 2003

[4] CIMATO S., PRISCO R.D., DE SANTIS A.: Optimal colored

threshold visual cryptography schemes, Des. Codes

Cryptogr., 2005, 35, pp. 311335

[5] CIMATO S., DE PRISCO R., DE SANTIS A.: Colored visual

cryptography without color darkening, Theor. Comput.

Sci., 2007, 374, pp. 261276

[6] HOU Y.C.: Visual cryptography for color images, Pattern

Recognit., 2003, 1773, pp. 111

[7] HOU Y.C., TU C.F.: Visual cryptography techniques for

color images without pixel expansion (in Chinese)), J. Inf.

Technol. Soc., 2004, 1, pp. 95110

[8] ISHIHARA T., KOGA H.: A visual secret sharing scheme for

color images based on meanvalue-color mixing, IEICE

Trans. Fundam., 2003, E86-A, pp. 194197

[9] JIN D., YAN W.Q., KANKANHALLI M.S.: Progressive color visual

cryptography, J. Electron. Imaging, 2005, 14, (3), pp. 033019

[10] KOG A H., IWAMOTO M., YAMAMOTO H.: An analytic

construction of the visual secret sharing scheme for color

images, IEICE Trans. Fundam., 2001, E84-A, (1), pp. 262 272

[11] KOGA H., YAMAMOTO H.: Proposal of a lattice-based visual

secret sharing scheme for color and gray-scale images,

IEICE Trans. Fundam., 1998, E81-A, (6), pp. 12621269

[12] LUKAC R., PLATANIOTIS K.N.: Color image secret sharing, IEE

Electron. Lett., 2004, 40, (9), pp. 529530

[13] NAKAJIMA M., YAMAGUCHI Y.: Extended visual cryptography

for natural images. WSCG Conf. 2002, 2002, pp. 303412

[14] RIJMEN V., PRENEEL B.: Efficient color visual encryption or

shared colors of benetton. The rump session of Eurocrypt

96, Also available at http://www.esat.kuleuven.ac.be/

rijmen/vc/. 1996

[15] SHYU S.J.: Efficient visual secret sharing scheme for

color images, Pattern Recongnit., 2006, 39, pp. 866880

[16] VERHEUL E., TILBORG H.V.: Constructions and properties ofk out of n visual secret sharing schemes, Des. Codes

Cryptogr., 1997, 11, (2), pp. 179196

[17] YANG C.N., CHEN T.S.: Colored visual cryptography scheme

based on additive color mixing, Pattern Recognit., 2008,

41, (10), pp. 31143129

[18] YANG C.N., LAIH C.S.: New colored visual secret sharing

schemes, Des. Codes Cryptogr., 2000, 20, pp. 325335

[19] DROSTE S.: New results on visual cryptography. CRYPTO

96, 1996, (LNCS, 1109), pp. 401 415

[20] ATENIESE G., BLUNDO C., DE SANTIS A., STINSON D.R.: Extended

capabilities for visual cryptography, ACM Theor. Comput.

Sci., 2001, 250, (12), pp. 143161

[21] ITO R., KUWAKADO H., TANAKA H.: Image size invariant visual

cryptography, IEICE Trans. Fundam. Electron. Commun.

Comput. Sci., 1999, E82-A, (10), pp. 21722177

[22] YANG C.N.: New visual secret sharing schemes using

probabilistic method, Pattern Recognit. Lett., 2004, 25,

pp. 481494

[23] BLUNDO C., DE SANTIS A., STINSON D.R.: On the contrast in

visual cryptography schemes, J. Cryptol., 1999, 12, (4),

pp. 261289

[24] TUYLS P., HOLLMANN H.D.L., VAN LINT J.H., TOLHUIZEN L.: Xor-

based visual cryptography schemes, Des. Codes Cryptogr.,

2005, 37, pp. 169186


doi: 10 1049/iet ifs:20080066 & The Institution of Engineering and Technology 2008

www.ietdl.org

colour visual cryptography schemes liu wu lin

Documents