1 A Karnaugh Map Based f2,2g Visual Cryptography Scheme For …kostas/Publications2008/pub/... ·...
Transcript of 1 A Karnaugh Map Based f2,2g Visual Cryptography Scheme For …kostas/Publications2008/pub/... ·...
1
A Karnaugh Map Based{2,2} Visual
Cryptography Scheme For Color Images
Mohsen Heidarinejad and K.N. Plataniotis
The Edward S. Rogers Sr. Department of ECE,
University of Toronto
E-mail: {mohsen,kostas}@comm.utoronto.ca
Abstract
A novel {2,2} visual cryptography scheme for processing color images based on a Karnaugh map
design is introduced in this paper. The encryption and decryption functions are executed at the bit
levels of the RGB color representation. The proposed scheme affords no pixel expansion and offers
perfect reconstruction. Experimental results including in this paper support the main argument that
the developed scheme is ideal for transmission of color images over un-trusted, bandwidth limited
communication channels.
I. I NTRODUCTION
Digital data security and integrity preservation is paramount in modern communication sys-
tems. The confidentiality of the visual data transmitted over digital communication networks
is usually obtained by encryption. Visual data protection is achieved either by employing data
hiding techniques or through secret sharing (visual cryptography). Image data hiding techniques
embed information by modifying the original image to be transmitted in a imperceptible way [1].
Secret sharing schemes on the other hand are based on the principle of sharing secret information
among a group of participants. The shared visual secret is recovered only when a coalition of
willing participants are polling their shares together [2].
The proposed here visual cryptography scheme is intended for transmission of natural color
images over untrusted communication channels of limited bandwidth although it is readily
applicable to gray scale images or computer generated visual data. It operates directly on the bit
April 3, 2007 DRAFT
2
plane representation of the input image and produces noise-like shares for distribution over the
untrusted public networks. Using reciprocal encryption and decryption procedures, the visual
cryptography scheme recovers the input image and makes it readily available for subsequent
image processing tasks. The two factors that determine the quality of the recovered image are
the relative contrast difference and the pixel expansion-m. The relative contrast difference refers
to the difference in contrast between the original image and the recovered image. Pixel expansion
(m) refers to the number of subpixels in the share images needed to represent a single pixel of
the original input image. Obviously the larger the value of factorm the larger the size of the
share. Share size must be controlled since most communication channels are of limited capacity.
Therefore, in a bandwidth constrained communication channel it is desirable to keepm as small
as possible. Given the fact that color images, due to their tristimulus representation, occupy
much more space and require much more bandwidth for transmission compared to gray scale
images, it is important to develop a visual cryptography scheme with no pixel expansion, in
other words a scheme withm = 1. In [3],[4] and [5] half-toning and dithering methods are used
to control pixel expansion. However half-toning reduces the quality of the input as well as that
of the reconstructed original. Many of the existing schemes that offer no pixel expansion result
in either poor quality reconstructed images or images that are not identical to the original input.
For example, in [6] and [7] the reconstructed image’s brightness looks unnatural resulting in poor
visual quality results. Similarly the proposed in [8] scheme, has a pixel expansion factorm = 1
but it can not restore the original image perfectly. The hybrid visual secret sharing scheme
[9] has an adjustable pixel expansion at the expense, however, of the reconstruction quality.
The methodology in [9] explains the trade off between share size and contrast and introduces
size adjustable visual secret sharing mechanism such that the user can choose the appropriate
share size and the recovered image contrast that fits an application. In [10] a bit reversing
visual cryptography scheme where white pixels are almost perfectly reconstructed in addition
to perfectly reconstructed black pixels is proposed. In [11] a color{2,2} visual cryptography
scheme with a pixel expansion factor ofm = 4 is proposed, however the solution cannot perfectly
reconstruct the original input image. The same performance is reported in [12]. The method has
an expansion factor ofm = 1 but it cannot be applied when the reconstructed image must be
very similar to the original input image. The scheme in [13] perfectly reconstructs the original
input image because the encryption and decryption functions are reciprocal but it has a pixel
April 3, 2007 DRAFT
3
expansion factor ofm = 4 and thus it cannot be used for cost-effective communications over
bandwidth constrained channels. The main contribution of this paper is the introduction of a new
perfect reconstruction{2, 2} visual cryptography scheme with no pixel expansion(m = 1). The
proposed algorithm can be viewed as the basic solution of a generic{t, n} visual secret sharing
problem [14],[15] and [16] for color images.
The rest of this paper is organized as follows. A brief description of visual cryptography
is given in section2. The proposed scheme is presented in section3. Section4 summarizes
experimental result, while conclusions are drawn in section5.
II. B RIEF REVIEW OF VISUAL CRYPTOGRAPHY
Visual cryptography solutions can be applied to binary, gray-scale and color data [17]. All
visual cryptography(VC) schemes are based on threshold designs or access structure solutions
[18]. Threshold VC is a type of secret sharing scheme firstly introduced by Naor et al [19].
The scheme recovers the input image without the use of any complex decoding operations by
using the human ability to process visual content. In the generalt out of n VC scheme, which is
denoted as{t, n} scheme, an image is encoded to n shares of random patterns by means of two
defined matrix sets. Each participant is given a share which is basically the original input (secret)
image whose pixels have been replaced by some other pixels according to a sharing policy. Any
subset of participants witht or more elements can detect and reconstruct the original input image
[19].
An access structure VC scheme typically follows the general access structure developed by
Ateniese et al [20]. The model describes a set of qualified subsetsΓQual and a set of forbidden
subsetsΓForb on n participantsP = {1, 2, ..., n}. Only the participants of any qualified subset
can jointly reconstruct the input image. The pair(ΓQual, ΓForb) is called the access structure of
the scheme. In the scheme proposed hereΓQual = {P1, P2} wherePi is ith participant. This is
due to the fact that for reconstructing the input image all shares are needed.
April 3, 2007 DRAFT
4
III. PROPOSED METHOD
A. Encryption
Color images are usually represented in the RGB color space for both visualization and storage.
In RGB a given color imageA is defined asA : Z2 → Z3. In other words it is considered to
be a(K1 ×K2) matrix with each of its elements being a three-dimensional vector. Each pixel
has three colors-red,green and blue-with intensity values ranging from0 to 255. Thus each of
these color pixels is represented using24 bits according to the formula:
A(i,j) = [a(i,j)1, a(i,j)2, a(i,j)3] (1)
where(i, j) (for i = 1, 2, ..., K1 and j = 1, 2, ..., K2) and c = 1, 2 or 3 are the spatial position
and color channels respectively withc = 1 denoting theR component,c = 2 denoting the
G component andc = 3 indicating theB component. Using the bit-level notation, thea(i,j)c
element of the color vectorA(i,j) can be expressed as follows:
a(i,j)c =8∑
k=1
ak(i,j)c2
8−k (2)
where ak(i,j)c equals to binary zero or one (bit). In the proposed method, the original secret
image is transformed into a noise like image by permuting all pixels according to a secret key.
A permutation step determines the correlation between neighboring pixels that is needed to
increase the randomness of the shares. Two matricesR and C with corresponding dimensions
(K1 × K1) and (K2 × K2) are needed in the implementation of the permutation module. The
defining characteristic of the two matrices is that they are containing only one1 in each row
and each column while the rest of the elements are set to zero. The original input imageA is
permuted using the formula :
Apermuted = (R× A)× C (3)
In the original proposal of [19] each bit of the binary input image is replaced with a randomly
selected row of some generator matrix using two sets of matrices and a given sharing policy.
The proposed scheme follows the same design fundamentals. In particular, the proposed scheme
encrypts two original bits by mapping them to two bits thus offering no pixel expansion(m = 1).
By design the input image (secret input) and the two shares are of the same size. It is easily
April 3, 2007 DRAFT
5
understood that for two bits, the four possible combinations are{00, 01, 10, 11}. Based on the
permissible combinations, four(4× 4) encryption matrices are defined as follows:
E00 =
0 1 0 1
0 1 1 0
1 1 1 1
1 0 0 1
E01 =
0 0 0 0
1 1 0 0
1 1 1 0
1 0 1 1
E10 =
0 0 0 1
0 0 1 1
0 1 1 1
1 1 0 1
E11 =
0 0 1 0
0 1 0 0
1 0 0 0
1 0 1 0
where Eij is the basis matrix for encrypting the binary tuple(i, j) (i, j = 0 or 1). The
encryption module utilizes a random generation algorithm, called ”rand function”, to generate
a random numberq ε [1, 4] (the number ofEij rows). Based on its outcome, the dealer uses
the qth row of Eij matrix (Eqij) to encrypt the tuple(i, j). The first 2 elements ofEq
ij form the
first share related to(i, j) while the remaining two elements form its second share. Thus the
encryption function can be defined as:
fe(i, j) = Eqij = [fe1ij, fe2ij] = [(h11, h12), (h21, h22)] (4)
and
Eqij = (h11, h12, h21, h22) (5)
wherefekij andhtz (k, t, z = 1 or 2) are thekth part of the encryption function for the tuple(i, j)
andzth element oftth share, respectively. Certain conditions and constraints are imposed during
the matrix generator row selection. For example, each of the 2-tuples(h11, h12) and (h21, h22)
must be different from the original binary tuple(i, j) since shares must be significantly different
from the input image. As each row of encryption matrices has4 elements, there are24 = 16
possible choices for each row. However, the imposed constraints eliminate 7 choices (forbidden
combinations) from the Karnaugh table [21] (the row and column that contain the binary tuple
(i, j)). Thus, the permissible choices are based on the remaining nine elements as they are defined
by the Karnaugh map logic. For example, assuming that the dealer considers replacing the rows
of matrix E00, the allowable options are restricted to the minterms marked in Fig.2. A minterm
April 3, 2007 DRAFT
6
is a logical expression ofn variables consisting of only the logical conjunction operator and the
complement operator. There are2n minterms forn variables. Given the fact that in the proposed
scheme there are four variables{h11, h12, h21, h22}, the related24 = 16 minterms are represented
in a (4 × 4) Karnaugh map logic. Each of the rows in the defined encryption matrices can be
considered as a four-tuple consisting of binary elements. In other words each row is a four bit
string that can be represented in a(4× 4) Karnaugh map logic.
B. Decryption
Similarly to the encryption step the proposed decryption function is also based on the Karnaugh
map logic. Based on the rows of encryption matrices, the decoding function can be defined as
follows:
fd(h11, h12, h21, h22) =
(0, 0) if h11h12h21h22 + h11h12h21h22
+h11h12h21h22 + h11h12h21h22 = 1
(0, 1) if h11h12h21h22 + h11h12h21h22
+h11h12h21h22 + h11h12h21h22 = 1
(1, 0) if h11h12h21h22 + h11h12h21h22
+h11h12h21h22 + h11h12h21h22 = 1
(1, 1) if h11h12h21h22 + h11h12h21h22
+h11h12h21h22 + h11h12h21h22 = 1
(6)
wherehij (i, j = 1 or 2) means complement ofhij and(h11, h12, h21, h22) = Eqij. The expressions
in (6) is 1 if and only if a corresponding row which we built by concatenating elements of share
1 and share2 belongs to a single matrix in the set of matrices defined during the encryption
process. To find a boolean function, minterms that produce binary1 are added modulo2. Boolean
expressions in (6) correspond to functions that are determined by adding some specified minterms
modulo2. The logic expression for(i, j)-the output of the decoding process-withi, j = 0 or 1
is defined by adding the minterms corresponding toEij rows. If these specified minterms are
related toEij rows, the decoding function will return(i, j).
The notation used in the proposed scheme-for sharing one byte (each ofa(i,j)c in equation
(2)) of the original input image is summarized in Table I. As it can be seen there0≤ S ≤ 255
(S is one byte consisting of eight bits),si = 0 or 1 where1≤ i ≤ 8, Shj is jth share ofS,
Vt(t+1) = (Vt(t+1)1, Vt(t+1)2) (7)
April 3, 2007 DRAFT
7
TABLE I
THE SUMMARY OF THE NOTATIONS IN THE PROPOSED SCHEME
Input(secret) S = (s1, s2, s3, s4, s5, s6, s7, s8)
Shares Sh1 = (V121, V341, V561, V781) andSh2 = (V122, V342, V562, V782)
reconstructed Sde = (fd(V12), fd(V34), fd(V56), fd(V78))
and
Vt(t+1)j = fejstst+1 = (stje, s(t+1)je) (8)
wheret = 1, 3, 5 or 7 and j = 1 or 2.
The proposed scheme perfectly reconstructs the input image and thus the recovered image is
identical to the color input image as it is shown in the following theorem.
Theorem 1 (Perfect reconstruction:):A secret(S) at the byte level is perfectly recovered by
using together the two corresponding sharesSh1 andSh2.
Proof:
Sde = (fd(V121, V122), fd(V341, V342), fd(V561, V562), fd(V781, V782))
= (fd(fe1s1s2 , fe2s1s2), fd(fe1s3s4 , fe2s3s4), fd(fe1s5s6 , fe2s5s6), fd(fe1s7s8 , fe2s7s8))
= (fd(fe(s1, s2)), fd(fe(s3, s4)), fd(fe(s5, s6)), fd(fe(s7, s8)))
= (s1, s2, s3, s4, s5, s6, s7, s8)
= S
It shows that the proposed scheme perfectly reconstructs the input secret because one byte
(S) is perfectly reconstructed using the generated shares based on the proposed sharing policy.
All of the pixels bytes (three bytes for each pixel) of original input image can be reconstructed
in the same manner.
After encryption and decryption process for all of the permuted image pixels, the inverse of the
permutation is performed on the decrypted image i.e.
Areconstructed = (R−1 × decryptedimage)× C−1 (9)
whereAreconstructed is the reconstructed version of the original input image.
April 3, 2007 DRAFT
8
C. Security analysis
As it was stated in the introduction, secret sharing schemes are utilized to enhance security
and protect visual content transmitted over un-trustworthy communication channels. Therefor,
each of the two generated shares must not reveal any information which can be used to recover
the original input image. In the proposed here{2,2} scheme an individual can decode the secret
image only if possesses both shares. In other words, a single share by itself does not provide
any meaningful information about the original input image. For example, supposefe(i, j) =
[(h11, h12), (h21, h22)]. The scheme is secure if and only if(h11, h12) 6= (i, j) and (h21, h22) 6=(i, j). The condition is satisfied because(h11, h12, h21, h22) = Eq
ij and due to the fact that none
of binary tuples(h11, h12) and (h21, h22) are equal to(i, j) due to the encryption process. For
example to encrypt(0, 0) the dealer chooses one ofE00 rows randomly. It is clear that none of
2-tuples(h11, h12) and (h21, h22) is equal to(0, 0).
IV. EXPERIMENTAL RESULT
Simulation results obtained by the proposed VC scheme are provided in this section. The
section includes a comparison between the proposed here method and the solution developed
in [13]. Experimentation with a variety of natural images of practical importance was used to
demonstrate the effectiveness of the scheme.
In Fig. 3 the proposed scheme was applied on the(147× 97) JPEG input image shown in Fig
3a. The generated shares are depicted in Figs 3b and 3c. These two noise like images reveal no
information about the original input. Simple visual inspection indicates that the size of shares
and that of input image is the same. The reconstructed image is shown in Fig 3d. As it was
expected due to the perfect reconstruction property the reconstructed image is identical to the
input.
In Fig. 4 the scheme proposed in [13] is applied on the same image shown in Fig 3a and the
generated shares are depicted at Figs 4b-4c. Visual inspection of the results indicates that unlike
this solution, the shares generated are larger in size compared to the original input image. This
is to be expected since the method of [13] has an expansion factor ofm = 4. Consequently, the
method in [13] makes it difficult to transfer color images via bandwidth limited communication
channels.
The proposed scheme is also tested on color images of significance in practical applications.
April 3, 2007 DRAFT
9
Input: Color image A in RGB space that is represented by aK1 ∗K2 matrix
Outputs: Share1, Share2 and Reconstructed matrices
Step 1. Replace A with its permuted version
Step 2. Let(i, j) = (1, 1)
Step 3. For each of color channel of the pixel at spatial position(i, j) produce a binary
representation based on equation(2)
Step 4. For each of these binary representation computeSh1 andSh2 as it is mentioned
in Table I
Step 5. Replace numerical version ofSh1 andSh2 in (i, j) spatial position of share1 and
share2 matrices respectively
Step 6. Based onSh1 andSh2 computeSde as it is mentioned in Table I
Step 7. Replace numerical version ofSde in (i, j) spatial position of the matrix that is
represented as the reconstructed image matrix
Step 8. Leti = i + 1
Step 9. Ifi > K1 go to step9 else go to step2
Step 10. Letj = j + 1
Step 11. Ifj > K2 go to step11 else go to step2
Step 12. Applying the inverse-permutation operation on the reconstructed image
Step 13. END
Fig. 1. The pseudo code of the proposed scheme
The purpose of this experiment is to show that the proposed scheme can be applied to any type
of visual images in realistic application scenario. In particular, the new scheme is applied to
natural outdoor image (Fig. 5), a face image (Fig. 6), a surveillance frame image (Fig. 7), a
scanned document (Fig. 8) and a colored document (Fig. 9) respectively. Visual inspection of
the obtained results confirms the properties of the proposed scheme that is to say that size of
the shares and the original input image is the same (no pixel expansion) and that reconstructed
April 3, 2007 DRAFT
10
images are identical to the provided inputs. As it can be seen from the various figures, shares1
and2 reveals no information about the input image.
Fig. 10 presents the results obtained for the face image input when the permutation formula of
(3) is not used prior to encryption process. As it can be seen share 1 as well as share 2 reveal
important information about the input image. For example, by visually inspecting share1 (Fig
10b) it is evident that the secret input is a face image. During the encryption process two bits
are mapped onto two other bits and as a result at most one of them remains the same. However,
due to the nature of input image, the intensity value of adjacent pixels is either the same or
insignificantly different. When such image regions are encrypted, original input information can
be detected in the background of the generated shares. To recede the situation and prevent display
of original information, permutation must be performed on the original input image.
V. CONCLUSIONS
A new {2,2} VC scheme based on a Karnaugh map design was presented in this paper. It
directly operates on the bit plane of the original input color image. Perfect reconstruction and no
pixel expansion are the main characteristics of the proposed scheme. Using permutation before
encryption process, the secrecy of the solution is enhanced. Based on experimental results, our
scheme can be applied to send color images over un-trusted, bandwidth limited communication
channels since the shares produced are identical in size to the secret input image.
April 3, 2007 DRAFT
11
REFERENCES
[1] F. Petitcolas and R. Anderson, “Information hiding: a survey,”Proceedings of the IEEE, vol. 87, pp. 1062–1078, July
1999.
[2] C. Chang and J. Chuang, “An image intellectual property protection scheme for gray-level images using visual secret
sharing strategy,”Pattern Recognition Letters, vol. 23, pp. 931–941, June 2002.
[3] Y. Hou, F. Lin, and C. Chang, “Visual cryptography for color images without pixel expansion,”Journal of Technology,
vol. 16, no. 4, pp. 595–603, 2001.
[4] Y. Hou and S. Tu, “A visual cryptographic technique for chromatic images using multi-pixel encoding method,”Journal
of Research and Practice in Information Technology, vol. 37, no. 2, p. 179, 2005.
[5] R. Ito, H. Kuwakado, and H. Tanaka, “Image size invariant visual cryptography,”IEICE Transaction on Fundamentals,
vol. E82-A, no. 10, pp. 2172–2177, 2002.
[6] H. Koga and H. Yamamoto, “Proposal of a lattice-based visual secret sharing scheme for color and gray-scale images,”
IEICE Trans. Fundamentals, vol. E81-A, no. 6, pp. 1262–1269, 1998.
[7] H. Koga, M. Iwamoto, and H. Yamamoto, “An analytic construction of the visual secret scheme for color images,”IEICE
Trans. Fundamentals, vol. E84-A, no. 1, pp. 262–272, 2001.
[8] Y. Hou, “Visual cryptography for color images,”Pattern Recognition, vol. 36, no. 7, pp. 1619–1629, 2003.
[9] C. Yang and T. Chen, “Size-adjustable visual secret sharing schemes,”IEICE Trans. Fundamentals, vol. E88-A, pp. 2471–
2474, September 2005.
[10] D. Viet and K. kurosawa, “Almost ideal contrast visual cryptography with reversing,”Lecture Notes in Computer Science,
vol. 2964, pp. 353–365, 2004.
[11] V. Rijmen and B. Preneel, “Efficient colour visual encryption or ’shared colors of benetton’.” presented at the rump session
of EUROCRYPT’96, 1996.
[12] H. Young-Chang, “Visual cryptography for color images,”Pattern Recognition, vol. 36, pp. 1619–1629, 2003.
[13] R. Lukac and K. Plataniotis, “Bit-level based secret sharing for image encryption,”Pattern Recognition, vol. 38, pp. 767–
772, May 2005.
[14] C. Blundo, A. De santis, and D. Stinson, “On the contrast in visual cryptography schemes,”Journal of Cryptology, vol. 12,
no. 4, pp. 261–289, 1999.
[15] C. Blundo, P. D’Arco, A. De Santis, and D. Stinson, “Contrast optimal threshold visual cryptography schemes,”SIAM
J.Discrete Math., vol. 16, no. 2, pp. 224–261, 2003.
[16] T. Hofmeister, M. Krause, and H. Simon, “Contrast optimalk out of n secret sharing schemes in visual cryptography,”
Theoret.Comput.Sci., vol. 240, pp. 471–485, June 2000.
[17] M. Iwamoto and H. Yamamoto, “The optimal n -out-of- n visual secret sharing scheme for gray-scale images,”IEICE
Trans. Fundamentals, vol. E85-A, pp. 2238–2247, October 2002.
[18] D. Stinson, “Visual cryptography and threshold schemes,”Potentials, IEEE, vol. 18, pp. 13–16, Feb/Mar 1999.
[19] M. Naor and A. Shamir, “Visual cryptography,”Advances in Cryptography: Eurocrypt’94,Springer, pp. 1–12, 1995-Berline.
[20] G. Ateniese, C. Blundo, A. De Santis, and D. Stinson, “Visual Cryptography for General Access Structures,”Information
and Computation, vol. 129, no. 2, pp. 86–106, 1996.
[21] M. Karnaugh, “The map method for synthesis of combinational logic circuits,”Transactions of American Institute of
Electrical Engineers, vol. 72, pp. 593–599, November 1953.
April 3, 2007 DRAFT
12
Fig. 2. A mapping of minterms on a Karnaugh map
(a) (b)
(c) (d)
Fig. 3. The Karnaugh based method (tested for a color image): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image
April 3, 2007 DRAFT
13
(a) (b)
(c) (d)
Fig. 4. The{2,2} visual secret sharing scheme of [13]: (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image
April 3, 2007 DRAFT
14
(a) (b)
(c) (d)
Fig. 5. The Karnaugh based method (tested for a scene): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image
April 3, 2007 DRAFT
15
(a) (b)
(c) (d)
Fig. 6. The Karnaugh based method (tested for a face image): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image
April 3, 2007 DRAFT
16
(a) (b)
(c) (d)
Fig. 7. The Karnaugh based method (tested for a surveillance frame image): (a) Original image (b) Share 1 (c) Share 2 (d)
Decoded image
April 3, 2007 DRAFT
17
(a) (b)
(c) (d)
Fig. 8. The Karnaugh based method (tested for a scanned document): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded
image
April 3, 2007 DRAFT
18
(a) (b)
(c) (d)
Fig. 9. The Karnaugh based method (tested for a colored document): (a) Original image (b) Share 1 (c) Share 2 (d) Decoded
image
April 3, 2007 DRAFT
19
(a) (b)
(c) (d)
Fig. 10. An example of forbidden permutation: (a) Original image (b) Share 1 (c) Share 2 (d) Decoded image
April 3, 2007 DRAFT