Contents lists available at SciVerse ScienceDirect

Signal Processing

Signal Processing 92 (2012) 727–736

0165-16

doi:10.1

n Corr

E-m

journal homepage: www.elsevier.com/locate/sigpro

Insight into collusion attacks in random-grid-based visualsecret sharing

Yao-Sheng Lee, Tzung-Her Chen n

Department of Computer Science and Information Engineering, National Chiayi University, Chiayi City, Taiwan 60004, ROC

a r t i c l e i n f o

Article history:

Received 19 May 2011

Received in revised form

11 September 2011

Accepted 13 September 2011Available online 29 September 2011

Keywords:

Visual secret sharing

Collusion attack

Cheating problem

Random grids

84/$ - see front matter Crown Copyright & 2

016/j.sigpro.2011.09.015

esponding author. Tel.: þ886 5 2717723; fax

ail address: thchen@mail.ncyu.edu.tw (T.-H. C

a b s t r a c t

Visual secret sharing (VSS), either visual-cryptography-based (VC-based) VSS or random-

grid-based (RG-based) VSS, is a well-known technology of secret communication for

sensitive security applications. Horng et al. (2006) kindled the interest in the cheating

problem existing in threshold VC-based VSS. The cheating problem happened when

dishonest participants collude to cheat honest ones by enabling the latter to accept the

wrong secret information generated by the former. As RG-based VSS (RGVSS) has gained

significant attention in academia in the past years, it is concerned that RG-based VSS may

also suffer cheating attacks. The authors of the present study demonstrate that the security

risk does exist in RG-based VSS. To prove the feasibility of cheating, the experimental results

and formal analysis illustrate that the proposed collusion attacks do work.

Crown Copyright & 2011 Published by Elsevier B.V. All rights reserved.

1. Introduction

The concept of k-out-of-n, denoted (k,n), secret sharingwas first proposed by Shamir [1] and Blakley [2] in 1979,whose data are partitioned into n pieces and the data arereconstructed by collecting any k or more than k piecesfrom those n pieces (k%n).

Visual cryptography (VC), proposed by Naor and Shamir[3], is a variant of secret sharing. In a (k,n) VSS scheme, asecret image is firstly divided into n share images by a well-designed codebook and, then, distributed to n participants.The secret image can be visually revealed by superimposingat least k share images. In the past decade, the researchof improving VC technique and its applications has rapidlygrown in academia, such as image encryption [4–6], visualauthentication [7,8], image hiding [9,10], digital watermark-ing [11,12], etc.

In 2006, Horng et al. [13] claimed the (k,n) VC-basedVSS suffers the cheating of malicious participants, calledcheaters, intending to misguide honest participants by

011 Published by Elsevier

: þ886 5 2717741.

hen).

generating a share image to cheat honest participants, orcalled victims. They mislead the victims to accept thewrongly revealed secret information. For instances, sup-pose that the codebook for (2,3) VC scheme was shown inTable 1. Assume the dishonest participants A with share 1and B with share 2 conspire to cheat victim C with share 3by creating a share image. The first row in Table 2 showsthe cheating procedure in which the secret pixel trans-lates from white to black. Assume the subpixels in share 1

(resp. share 2 and share 3) is ‘‘ ’’ (resp.

‘‘ ’’ and ‘‘ ’’). When participants A

and B conspire to know the secret pixel is white andintend to change the secret color from white to black tocheat participant C by modifying the sub-pixels of share 1

(resp. share 2) into ‘‘ ’’ (resp. ‘‘ ’’).

The revealed secret pixel by stacking the cheater’s and thevictim’s share images becomes black. Likewise, the secondrow in Table 2 shows the cheating procedure in case ofthe secret pixel translated from black to white.

Since the cheating problem was found, there have been aseries of cheating prevention schemes [13–17] designed.

B.V. All rights reserved.

Table 1The example of (2,3) VC codebook.

Pixel in secret image Subpixel in Share 1 Subpixel in Share 2 Subpixel in Share 3 Share 1 � Share 2 Share 1 � Share 3 Share 2 � Share 3

Table 2The example of (2,3)-VC cheating process.

Pixel in secret image Pixel in cheating image Subpixel in

Share 1

Subpixel in

Share 2

Subpixel in

Share 3

Subpixel in

Share 1’

Subpixel in

Share 2’

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736728

Another VSS technique by random grids (RG), pro-posed by Kafri and Keren [18] in 1987, has drawn moreand more attention in academia. RG-based VSS aims atencoding a secret image into numerous meaninglessshare images, called random-grids, with the same sizeas the secret image. The decryption operation is the sameas that of the VC-based VSS. It is worth noting that thetwo main characteristics of RG-based VSS compared withVC-based VSS are (1) no share image size expansion; and(2) no request of the tailor-made codebook.

Inspired by Kafri and Keren [18], Shyu [19] presented twoRG-based VSS schemes to encode gray-level and colorimages. To remove the limitation of (2,2) RG-based VSS, Shyu[20] developed a (n,n) RG-based VSS method which cangenerate more than two random grids to share one secretimage. Almost simultaneously, Chen and Tsao [21] proposedtheir (2,n) and (n,n) RG-based VSS schemes. Later, Chen andTsao [23] designed a (k,n) threshold RG-based VSS scheme. Inorder to ease the burden of managing meaningless randomgrids, Chen and Tsao [26] presented a friendly RG-based VSSscheme in which a meaningful logo appears on the randomgrids, which disappears upon stacking meaningful random-grids. Wang and Lee [22] developed a friendly RG-based VSSscheme in which some identification patterns can berevealed by folding a single share.

With RG-based VSS in an early development stage, it isworthwhile to pay attention to the prospective cheatingattacks happening to RG-based VSS. This paper points outthat the collusion attack does work in (2,n) and (k,n)RG-based VSS. In (2,n) RG-based VSS [21], the area in the

reconstructed secret image corresponding to the whitesecret pixels can be maliciously operated by cheaters’turning white to black. Furthermore, in (k,n) case, chea-ters can choose a cheating image freely. The experimentalresults and theoretical analysis demonstrate cheatingattacks are possible in the RG-based VSS schemes.

The rest of this paper is organized as follows. Theproposed cheating processes to (2,n) and (k,n) RG-basedVSS are described in Sections 2 and 3. Section 4 demon-strates the experimental results. Finally, conclusion isgiven in Section 5.

2. Cheating in (2,n) RG-based VSS

This section demonstrates that the cheating behaviormay work in (2,n) RG-based VSS scheme [21] where n42.

2.1. Cheating scenario in (2,n) RGVSS

The cheating procedure in (2,n)-RGVSS is conceptuallyillustrated in Fig. 1. Firstly, the secret image is encoded into n

random-grids by Chen and Tsao’s (2,n) RG-based VSSalgorithm [21]. The random-grids are distributed to Alice,Bob, Carol, and other participants, respectively. Assumecheaters Alice and Bob intend to cheat honest participantCarol. The former may superimpose their random-gridstogether to obtain the reconstructed secret image. Secondly,by the reconstructed secret image, the original secret imagecan be recovered without distortion. Accordingly, Alice andBob determine the cheating message.

Fig. 1. The cheating example in (2,n) RGVSS.

S

G1 G2 G4 GnG3

S S S

Fig. 2. The concept of (2,n) VSS scheme by random grids.

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736 729

The cheating message is obtained by altering some whitepixels in the original secret image to black pixels. Then, thecheating process is performed to obtain a fake random-grid.When victim Carol superimposes her random-grid with thefake one, the cheating message is revealed.

2.2. Review of (2,n) RG-based VSS

The proposed (2,n) RG-based VSS scheme [21] is concep-tually shown in Fig. 2. Secret S is firstly split into tworandom-grids G1 and G2. Secondly, the identical secret isused to generate G3 by G2. Repeat this process until the nthcipher-grid RBn is generated. To encode a white secret pixel,the value 0 or 1 of a grid-pixel G1(i,j) in random-grid G1 israndomly generated, and those of the other grid-pixelscorresponding to the same position (i,j) in the other n�1random-grids are identical to that of G1(i,j). To encode a blacksecret pixel, the values of grid-pixels Gr(i,j) (r¼1,2,y,n) arerandomly generated.

2.3. (2,n) RG-based VSS cheating procedure

Before illustrating the proposed cheating procedure, wegive some notations and definitions. Suppose that the pixel

values ‘‘0’’ and ‘‘1’’ represent transparent and opaque, respec-tively, and the secret image with the size of h�w pixels isdefined asS¼ fSði,jÞ9Sði,jÞ ¼ 0 or 1, 0%i%ðw�1Þ, 0%j%

ðh�1Þg; the generated random-grids Gr ¼ fGrði,jÞ9Grði,jÞ ¼0 or 1, 0%i%ðw�1Þ, 0%j%ðh�1Þg where r¼1, 2, y, n;the cheating message CM¼ fCMði,jÞ9CMði,jÞ ¼ 0 or 1, 0%

i%ðh�1Þ, 0% j%ðh�1Þg; and the fake random-grid FG¼

fFGði,jÞ9FGði,jÞ ¼ 0 or 1, 0%i%ðw�1Þ, 0%j%ðh�1Þg.

Definition 1. Corresponding area representation.Assume that S(x) is the area corresponding to all the

pixels of color x in the secret image S which satisfies

Sð0Þ [ Sð1Þ ¼ S

Sð0Þ \ Sð1Þ ¼ |:

(

Consequently, the area in the reconstructed image R

corresponding to all the transparent (resp. black) area inthe secret image S as R[S(0)] (resp. R[S(1)]).

Definition 2. Random value generation function.Chaos(.): r’Chaos(.), r is the output of function Chaos(.),

where Chaos(.) is the function to generate a random value0 or 1 by the logistic map [25]. The logistic map is definedas xkþ1¼4xk(1�xk), xkA(0, 1). An initial value x0 isselected as an input, where each value of the random numbersequence r is obtained by the equation r¼ xk � 1013 mod2where rA{0,1}.

2.3.1. Choice of cheating message

In the cheating process, cheaters alter their random-grids by optionally changing the values of the grid-pixelscorresponding to the white area in the original secret toform a fake random-grid.

CM(i, j)

CM(i, j) = S(i, j)

No Yes

FG(i, j) = Chaos(.) FG(i, j) = G1(i, j)

G1(i, j)S(i, j)

Fig. 3. The procedure of cheating process.

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736730

Definition 3. Cheating image in (2,n) RG-based VSS.By Definition 1, we define the cheating message CM in

(2,n) RG-based VSS with respect to the secret image S tosatisfy the following equations:

CMð0Þ \ Sð0Þ ¼ CMð0Þ

CMð1Þ \ Sð1Þ ¼ Sð1Þand

CMð0Þ [ CMð1Þ ¼ CM

CMð0Þ \ CMð1Þ ¼ |

((

2.3.2. Operations of cheating

Firstly, cheaters superimpose their random-grids toobtain the reconstructed secret image to compute theoriginal secret image.

Suppose G1 is the cheater’s random-grid. The processof encoding a pixel in CM is demonstrated in Fig. 3.

The grid-pixels in FG are generated according to thepixel values in CM and S. If CM(i,j)¼S(i,j), the pixel valueFG(i,j) is the same as that of G1(i,j). Otherwise, the pixelvalue of FG(i,j) is generated by Chaos(.).

Upon the fake random-grid FG generation, if FG isstacked with the other random-grid, the cheating mes-sage, not the original secret, is revealed.

2.4. Analysis of cheating feasibility

To examine the feasibility of cheating, two propertiesmust be satisfied. Firstly, the fake random-grid is visuallyregarded as the general noise-like random-grid by thevictim. Secondly, the appearance of the stacked result bysuperimposing the fake and the victim’s random-grids isvisually recognized as the cheating information.

Priori to demonstrating the feasibility of the proposedcheating scheme, two definitions are given.

After the encoding process of the proposed scheme,the generated random-grids are photocopied on thetransparent sheets. Here, only the white (or transparent)pixels are pervious to light.

Definition 4. Average light transmission.

The average light transmission of an image I is defined as

L I½ � ¼The number of white pixels in I

The total number of pixels in I:

Definition 5. Contrast

Suppose the reconstructed secret image R is composedof R[S(0)] and R[S(1)]. Borrowed from Ref. [19], the contrast

d can be computed to evaluate the visual quality of R byequation

d¼L½R½Sð0Þ���L½R½Sð1Þ��

1þL½R½Sð1Þ��:

Thus, the larger value of the contrast d, the bettervisual quality of the reconstructed image. Hence, R can berecognized as S visually when L[R[S(0)]]aL[R[S(1)]].

Proposition 1. Fake random-grid is meaningless.

The fake random-grid should be visually regarded as ageneral noise-like random-grid such that it does not attractthe victim’s extra attention. Actually, the random-grid FG

alone reveals no information, i.e., meaningless.

Proof. The proposed (2,n) RG-based VSS cheating processgenerates the grid-pixels of FG by performing Chaos(.) orassigning the same value as that of G1(i,j). Hence, the fakerandom-grid FG can be supposed to divide into two parts,say FG[CM(0)] and FG[CM(1)], in which the grid-pixels inFG[CM(0)] are the same as G1[CM(0)] and the grid-pixels inFG[CM(1)] are generated randomly. In Ref. [21], the grid-pixels in G1 are generated by assigning a white orblack grid-pixel with the probability of 1/2. Hence, theexpected light transmission of FG[CM(0)] is L[FG[CM(0)]]¼L[G1[CM(0)]]¼1/2. Since the grid-pixels in the areaFG[CM(1)] are generated randomly. Hence, the expectedlight transmission of FG[CM(1)] is L[FG[CM(1)]]¼1/2. AsL[FG[CM(0)]]¼L[FG[CM(1)]]¼1/2, i.e., d¼0, the random-grids FG1 alone is meaningless by Definition 5. &

Lemma 1. During stacking h (nZhZ2) independent ran-

dom-grids Gi1,Gi2,y,Gih, to form a stacked image Gh, the

expected average light transmission L[Gh] is (1/2)h.

Proof. By induction on h,

(1)

When h¼2, let c1 be a certain grid-pixel of random-grid Gi1, and c2 be the corresponding grid-pixel at thesame position as in Gi2. If each random-grid is gener-ated by a chaos function, the probability is 1/2 togenerate a black or white pixel. When superimposingtwo grid-pixels c1 and c2, denoted as c1�2, we have theprobability of (1/2)� (1/2)¼(1/4) to obtain the whitegrid-pixel, so that the expected light transmission ofthe superimposed result is L[G2]¼(((1/4)�w�h)/(w�h))¼1/4 by Definition 4.

(2)

Assume that the claim holds for h�1, i.e.,L½Gh�1

� ¼ ð1=2Þh�1.That implies if h�1 independent random-grids arestacked, (1/2)h�1

�w� h grid-pixels are transparentin the stacked result Gh�1. Furthermore, we need toprove that it also holds for h.

(3)

Upon superimposing Gh�1 and Gih , (1/2)� (1/2)h�1�

w�h pixels are transparent in the Gh. The expectedaverage light transmission of the superimposed result is

L½Gh� ¼ð1=2Þ � ð1=2Þh�1

�w� h

w� h¼

1

2

� �h

by Definition 4.

The proof ends. &

S

G1

G2

Gn-1

G3

Fig. 4. The concept tree of (n,n) VSS scheme by random grids.

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736 731

Proposition 2. Reconstructed cheating message is visually

recognizable.

The stacking by superimposing the fake FG and thevictim’s random-grids should be visually recognized asthe cheating information. The expected contrast of thereconstructed result is always high enough to reveal theshape or information of the cheating message CM.

Proof. Suppose that the fake random-grid FG is dividedinto two parts, say FG[CM(0)] and FG[CM(1)]. The grid-pixels in FG[CM(0)] are the same as those in the victim’sGv[CM(0)]. Hence, the expected light transmission L[FG�Gv

[CM(0)]]¼L[FG[CM(0)]]¼1/2 where � denotes the stackingoperation. Since the grid-pixels in FG[CM(1)] are generatedrandomly and FG[CM(1)] is stacked with Gv[CM(1)], it istreated as the result of stacking two independent ran-dom-grids. The expected light transmission of the stackedresults is L[FG�Gv[CM(1)]]¼(1/2)2

¼1/4 by Lemma 1. Wehave the contrast

d¼L½FG� Gv½CMð0Þ���L½FG� Gv½CMð1Þ��

1þL½FG� Gv½CMð1Þ��

¼1=2� �

� 1=4� �

1þ 1=4� � ¼

1

5:

Thus, the cheating message is visually recognized. &

3. Cheating in (k,n) RG-based VSS

This section demonstrates that the cheating behaviorsucceeds in (k,n) RG-based VSS scheme by illustrating thecheating process in Chen and Tsao’s [23]. Different from the(2,n) RG-based VSS cheating process, the limitation of onlychanging the values of the grid-pixels corresponding to thewhite area in the original secret is removed. Consequently,cheaters can freely choose the cheating message CM.

3.1. Review of (k,n) RG-based VSS

Since the (n,n) RG-based VSS scheme [21] is the kernelof the (k,n) one [23], the former is introduced first. Themain concept of the (n,n) RG-based VSS scheme is shownin Fig. 4. The secret S is split into two random-grids G1 andR2. Subsequently, R2 is further split into two otherrandom-grids. Repeat this operation until the number ofrandom-grids is n.

The first cipher-grid G1 is randomly generated. Later,the second, called semi-random-grid R2, is by Kafri andKeren [18].

Secondly, the (k,n) RG-based VSS scheme [23] encom-passes three steps:

1)

The (n,n) scheme is used to encode a secret pixel S(i, j)into k sub-pixels g1(i, j), y, gk(i, j).

2)

The generated k bits are dispatched into k randomlyselected random grid pixels {Gi1(i,j),Gi2(i,j),y,Gik(i,j)}, asubset of {G1(i, j), G2(i, j), y, Gn(i, j)}.

3)

Lastly, the (n�k) bits located in the same location (i, j)of the remaining (n�k) random grids {G1, G2,y,Gn}�{Gi1, Gi2,y,Gik} are randomly generated.

4)

Repeat the above steps until all secret pixels areencoded.

Fig. 5 tells the story of the (k,n) RG-based VSS scheme.

3.2. Cheating scenario in (k,n) RG-based VSS

In Chen and Tsao’s [23] (k,n) RG-based algorithm, asecret image S is divided into n random-grids Gr

(r¼1,2,y,n). If one stacks any k out of n random-grids,the secret image can be revealed. After stacking thecheaters’ random-grids, they obtain the secret messageto evaluate the victims’ random-grids accordingly. In the(k,n) RG-based VSS cheating environment, any k cheaterscan produce k�1 fake random-grids, say FGf ¼ fFGf ði,jÞ9FGf ði,jÞ ¼ 0 or 1, 0%i%ðw�1Þ, 0%j%ðh�1Þg (f¼1,2,y,k�1). Upon the victim’s random-grid stacked with all k�1FGf, the cheating message is revealed.

3.3. Feasibility of cheating

Since the (k,n) RG-based VSS scheme [23] encodes asecret pixel into n grid-pixels, there are nþ1 combina-tions according to the numbers a of ‘‘1’’’s in the generated

n values of grid-pixels, say Aa ¼ f0n�a,0n�a�1,. . .,01

zfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{n�a

,

1a,1a�1,. . .,11

zfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflffl{a

g, where a¼0,1,2,y,n. In other words, thereare n�a ‘‘0’’s and a ‘‘1’’s in combination Aa. If the cheaters

collect k grid-pixels, for example, Bb ¼ f0k�b,0k�b�1,. . .,01

zfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{k�b

,

g1 r2

r3

( , )S i j

g2

g3

1kg

S

( , )S i j

G1 G2 Gn

Gn(i, j)G2(i, j)G1(i, j)

( ) bits generated randomly n k

gk = rk~

Fig. 5. The diagram of encoding process in the (k,n) RG-based VSS scheme.

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736732

1b,1b�1,. . .,11

zfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflffl{b

g, in which there are k�b ‘‘0’’s and b ‘‘1’’s in Bb;there are

Ca ¼n�a

k�b

� �a

b

� �

combinations if there are k grid-pixels in Bb selected from Aa.Then, there are n�a�kþb ‘‘0’’s and a�b ‘‘1’’s remaining inAa. Hence, cheaters can effectively evaluate the values of avictim’s grid-pixels by guessing ‘‘1’’ with the probability of

((a�b)/(n�k)), denoted as Pa. Totally, there arePn

a ¼ 0 Ca

combinations and, expectedly,Pn

a ¼ 0 CaPa ‘‘1’’’s. Therefore,

the cheaters evaluate the victim’s grid-pixel ‘‘1’’ with the

probability ofPn

a ¼ 0 CaPa=Pn

a ¼ 0 Ca and ‘‘0’’ with the prob-

ability of 1�ðPn

a ¼ 0 CaPa=Pn

a ¼ 0 CaÞ. SincePn

a ¼ 0 CaPa=Pna ¼ 0 Ca is not always equal to 1/2, the guessing operation

is effective.An example is illustrated to simplify the demonstra-

tion of collusion attacks.

Example. Cheating processes in (3,4) RG-based VSS.Taking (3,4) RG-based VSS [23] for example, the gener-

ated grid-pixels are shown in Table 3. There are five cases,A1, A2, A3, A4 and A5, for encoding a black or white secretpixel. But for a black (resp. white) secret pixel, there arefour cases generated by Ref. [23]; i.e., A0, A1, A2 and A3

(resp. A1, A2, A3 and A4). Readers may read Ref. [23] fordetails. &

Assume cheaters collect three grid-pixels B0¼{0.0.0}.There are two cases, A0 and A1, including three zeros. In

case of B0¼{0,0,0}, we have4

3

� ��

0

0

� �¼ 4 combina-

tions generated by A0 and3

3

� ��

1

0

� �¼ 1 combination

by A1. The remaining grid-pixel is ‘‘0’’ (resp. ‘‘1’’) for A0

(resp. A1). Hence, the cheaters can correctly guess that thevalue of the left grid-pixel, i.e., the one in the victim’srandom-grid, is ‘‘0’’ (resp. ‘‘1’’) with the probability of 4/5(resp. 1/5).

Table 3The generated grid-pixels by (3,4)-RGVSS.

Combinations Secret

Black White

A0 – 0 � � 0 � �0 � �0

A1 1 � �0 � � 0 � �0 1 � �0 � � 0 � �0

A2 1 � �1 � �0 � � 0 1 � �1 � �0 � � 0

A3 1 � �1 � �1 � �0 1 � �1 � �1 � � 0

A4 1 � �1 � �1 � �1 –

Evaluating the victim'sgrid-pixel

CM(i, j)

Generating fake grid-pixelsFGf (i, j) by (k,k) RG-based VSS

FG1(i, j), FG2(i, j), ..., FGk-1(i, j)

Gi1 (i, j), Gi2 (i, j), ...,Gik (i, j)

Geva (i, j)

CM

Geav

FG1

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736 733

Assume cheaters collect three grid-pixels B2¼{0,1,1}.There are A2 and A3 including one ‘‘0’’ and two ‘‘1’’s. We

have2

1

� ��

2

2

� �¼ 2 combinations generated by A2 and

1

1

� ��

3

2

� �¼ 3 combinations by A3. The remaining grid-

pixel is ‘‘0’’ (resp. ‘‘1’’) in case of A2 (resp. A3). Hence, thecheaters can correctly guess at the value of the left grid-pixel, meaning the victim’s random-grid, is ‘‘0’’ (resp. ‘‘1’’)with the probability of 2/5 (resp. 3/5).

Likewise, we obtain the cases of B1 and B3, i.e., {0,0,1}and {1,1,1}. Note that the probability of successfullyguessing either ‘‘1’’ or ‘‘0’’ is not 1/2.

FGk-2 FGk-1

FG2

Fig. 6. (a) The procedure of cheating process and (b) generating k fake

grid-pixels by (k,k) RG-based VSS.

3.4. (k,n) RG-based VSS cheating operation

For simplicity to describe, the number of cheaters is setat k. The cheaters’ random-grids Gi1,Gi2,y,Gik and thecheating message CM are selected as the inputs of cheat-ing procedure to generate k�1 fake random-grids FG1(i,j),FG2(i,j), y, FGk�1(i,j).

Note that in Chen and Tsao’s (k,k) RG-based VSS [21], allgrid-pixels in the first random-grid are randomly generated.By the (k,n) RG-based VSS scheme [23], the k grid-pixels are,firstly, generated by (k,k) RG-based VSS [21] and, then, theother n-k grid-pixels are generated randomly.

The procedure of generating k�1 fake grid-pixels isdemonstrated in Fig. 6(a). There are two steps to generatethe k�1 grid-pixels.

1)

Evaluation of victim’s random-grid: Selecting k grid-pixels, say Gi1(i,j),Gi2(i,j),y,Gik(i,j), from cheaters’ legalrandom-grids. The cheaters can correctly guess at thevalues of grid-pixels Gm(i,j), mA{1,2,y,n}�{i1,i2,y,ik}in the victim’s random-grid with the probabilitygreater than 1/2. According to the numbers of ‘‘1’’s(or ‘‘0’’s) in the abovementioned k grid-pixels, thereare kþ1 combinations. As analyzed above, we have thecheaters evaluation of the victim’s grid-pixel ‘‘1’’ with

the probability ofPk

a ¼ 0 CaPa=Pk

a ¼ 0 Ca and ‘‘0’’ with

the probability of 1�ðPk

a ¼ 0 CaPa=Pk

a ¼ 0 CaÞ. Since the

equationPk

a ¼ 0 CaPa=Pk

a ¼ 0 Ca ¼ 1=2 does not always

hold, the evaluated grid-pixel Geva(i,j) is effectivelyguessed by cheaters. The generated noise-like Geva isclose to the victim’s random-grid.

2)

Generation of k�1 fake random-grids: Encode a certainpixel CM(i,j) by the (k,k) RG-based VSS scheme [21].

In the proposed cheating process, the evaluatedgrid-pixel Geva(i,j) is regarded as the first grid-pixel toencode the cheating pixel CM(i,j).

The main concept of the proposed (k,n) RG-based VSScheating process is shown in Fig. 6(b). It is conceptuallyobvious that the cheating message CM will be recognized bythe stacked result of superimposing Geva and all k�1 fakerandom-grids.

3.5. Analysis of cheating feasibility

In order to examine the feasibility of cheating in thresholdRG-based VSS, two properties should be satisfied. Firstly, thefake random-grids should be visually regarded as the generalnoise-like random-grids by the victim. Secondly, the appear-ance of the stacked result from superimposing the fake andthe victim’s random-grids should be visually recognized asthe cheating information.

Proposition 3. Fake random-grids are meaningless.

The fake random-grids should be visually recognizedas general noise-like random-grids such that they do notattract the victim’s extra attention.

Fig. 7. The experimental results of normal (2,4) RG-based VSS: (a) secret image S, (b) random-grid G1, (c) random-grid G2, (d) random-grid G3,

(e) random-grid G4, (f) G1�G2, (g) G1�G3, (h) G1�G4, (i) G2�G3, (j) G2�G4, and (k) G3�G4.

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736734

Proof. The fake random-grids are generated by Chen andTsao’s [21] (k,k)-RGVSS. In Chen and Tsao’s (k,k)-RGVSS,the first random-grid is generated randomly. In theproposed cheating process, the evaluated random-grid

Geva, which is close to the victim’s random-grid, isregarded as the first random-grid. Hence, the generatedfake random-grids are noise-like. The proof may bereferred to Ref. [23]. &

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736 735

Proposition 4. Reconstructed cheating message is visually

recognizable.

The appearance of the stacked result by superimposingthe k�1 fake FG and the victim’s random-grids Gv shouldbe visually recognized as the cheating information.

Proof. The evaluated random-grid Geva is similar to Gv,the fake random-grids can be used to stack with Gv toreveal the secret information. The details of proof may beobtained in Ref. [23]. &

4. Experimental results

To demonstrate the feasibility of cheating by collusionattacks, some simulations are conducted.

Simulation 1: The experimental results of (2,n) RG-based VSS cheating process.

A binary image S illustrated in Fig. 7(a) with the size of1024�1024, is regarded as the secret image. After theencoding operations of (2,n) RG-based VSS [21], four mean-ingless random-grids Gr (r¼1,2,3,4) with the same size of S

are generated as illustrated in Fig. 7(b)–(e). Fig. 7(f)–(k)shows the stacked results of any two random-grids.

Fig. 8(a) shows the cheating message CM. The fake grid FG

shown in Fig. 8(b) is generated by cheaters. The result bystacking fake FG and G3 (resp. G4) is illustrated in Fig. 8(c)(resp. Fig. 8(d)). The experimental results demonstrate thecheating problem exists in Chen and Tsao’s (2,n) RG-basedVSS [21].

Simulation 2: The experimental results of (3,4)RG-based VSS cheating process.

A binary image S illustrated in Fig. 9(a) with the size of2048�2048, is regarded as the secret image. After theencoding operations in (k,n) RG-based VSS [23], four

Fig. 8. The experimental results of cheating operations in (2,4) RG-based

VSS: (a) cheating message CM, (b) fake grid FG1, (c) FG�G3, and

(d) FG�G4.

meaningless random-grids with the same size of S aregenerated as illustrated in Fig. 9(b)–(e). While the resultsof stacking three random-grids without cheating are

Fig. 9. The experimental result of (3,4) RG-based VSS: (a) secret image S,

(b) random-grid G1, (c) random-grid G2, (d) random-grid G3,

(e) random-grid G4, (f) G1�G2�G3, (g) G1�G2�G4, (h) G1�G3�G4,

and (i) G2�G3�G4.

Fig. 10. The experimental results of cheating attacks in (3,4) RG-based

VSS: (a) cheating message CM, (b) fake grid FG1, (c) fake grid FG2, and

(d) FG1�FG2�G4.

Y.-S. Lee, T.-H. Chen / Signal Processing 92 (2012) 727–736736

shown in Fig. 9(f)–(i), the results illustrated in Fig. 10(d)by stacking two fake random-grids shown in Fig. 9(b) and(c) and the victim’s tells that the cheating messageFig. 10(a) is visually recognizable.

After the cheating result was examined above, it isobvious that the cheating attack works even if cheaters areunable to realize all the grid-pixels in the victim’s random-grid.

5. Conclusion

As threshold RG-based VSS is regarded as a bettercandidate of visual secret sharing, the security risk becomesa high concern. This paper demonstrated that the insidecollusion attacks to the state-of-the-art RG-based VSSschemes is possible. The experimental results illustratedthe proposed cheating scheme does work. This potential riskshould be taken into account in practice. A cheatingprevention scheme becomes the future work of developingRG-based VSS.

Acknowledgment

This research was partially supported by National ScienceCouncil, Taiwan, ROC, under contract no. NSC 99-2221-E-415-017.

References

[1] A. Shamir, How to share a secret, Communications of the ACM 22(1979) 612–613.

[2] G. Blakley, Safeguarding cryptographic keys, in: Proceedings of theAFIPS Conference, 1979, pp. 313–317.

[3] M. Naor, A. Shamir, Visual cryptography, in: Proceedings of theAdvances in Cryptology: Eurocrypt94, Lecture Notes in ComputerScience, vol. 950, 1995, pp. 1–12.

[4] R. Lukac, K.N. Plataniotis, Bit-level based secret sharing for imageencryption, Pattern Recognition 38 (5) (2005) 767–772.

[5] T.H. Chen, C.S. Wu, Efficient multi-secret image sharing based onBoolean operations, Signal Processing 91 (2011) 90–97.

[6] C.N. Yang, A.G. Peng, T.S. Chen, MTVSS: (M)isalignment (T)olerant(V)isual (S)ecret (S)haring on resolving alignment difficulty, SignalProcessing 89 (8) (2009) 1602–1624.

[7] M. Naor, B. Pinkas, Visual authentication and identification, in:Proceedings of the 17th Annual International Cryptology Confer-ence on Advances in Cryptology, Lecture Notes in ComputerScience, vol. 1294, 1997, pp. 322–336.

[8] T.H. Chen, J.C. Huang, A novel user-participating authenticationscheme, Journal of Systems and Software 83 (2010) 861–867.

[9] C.C. Chang, J.C. Chuang, P.Y. Lin, Sharing a secret two-tone image intwo gray-level images, in: Proceedings of the 11th InternationalConference on Parallel and Distributed Systems, vol. 2, 2005,pp. 300–304.

[10] W.P. Fang, J.C. Lin, Visual cryptography with extra ability of hidingconfidential data, Journal of Electronic imaging 15 (2) (2006)023020-1–023020-7.

[11] T.H. Chen, D.S. Tsai, Owner–customer right protection mechanismusing a watermarking scheme and a watermarking protocol,Pattern Recognition 39 (8) (2006) 1530–1541.

[12] T.H. Chen, T.H. Hung, G. Horng, C.M. Chang, Multiple watermarkingbased on visual secret sharing,, International Journal of InnovativeComputing Information and Control 4 (11) (2008) 3005–3026.

[13] G.B. Horng, T.H. Chen, D.S. Tsai, Cheating in visual cryptography,Designs, Codes and Cryptography 38 (2) (2006) 219–236.

[14] R.D. Prisco, A.D. Santis, Cheating immine (2,n)-threshold visualsecret sharing scheme, Security and Cryptography for Networks,Lecture Notes in Computer Science 4116 (2006).

[15] D.S. Tsai, T.H. Chen, G. Horng, A cheating prevention scheme forbinary visual cryptography with homogeneous secret images,Pattern Recognition 40 (8) (2007) 2356–2366.

[16] D.S. Tsai, G. Horng, Cheating in visual cryptography revisited, in:Proceedings of the 17th Information Security Conference, 2007,pp. 769–771.

[17] C.M. Hu, W.G. Tzeng, Cheating prevention in visual cryptography,IEEE Transactions on Image Processing 16 (1) (2007) 36–45.

[18] O. Kafri, E. Keren, Encryption of pictures and shapes by randomgrids, Optics Letters 12 (6) (1987) 377–379.

[19] S.J. Shyu, Image encryption by random grids, Pattern Recognition40 (2007) 1014–1031.

[20] S.J. Shyu, Image encryption by multiple random grids, PatternRecognition 42 (2009) 1582–1596.

[21] T.H. Chen, K.H. Tsao, Visual secret sharing by random gridsrevisited, Pattern Recognition 42 (2009) 2203–2217.

[22] R.Z. Wang, Y.T. Lee, Random grid based visual cryptography withidentifiable shares, Journal of Electronic Imaging 20 (1) (2011)013021:1–8.

[23] T.H. Chen, K.H. Tsao, Threshold visual secret sharing by randomgrids, Journal of Systems and Software 84 (2011) 1197–1208.

[25] A. Kanso, N. Smaoui, Logistic chaotic maps for binary numbersgenerations, Chaos, Solitons & Fractals 40 (2009) 2557–2568.

[26] T.H. Chen, K.H. Tsao, User-friendly random grid-based visual secretsharing, IEEE Transactions on Circuits and Systems for VideoTechnology, doi:10.1109/TCSVT.2011.2133470, in press.