Proactive visual cryptographic schemes for general access structures

Abstract

In the modern digital era, long-term protection of digital data, stored in a server, is essential, especially when it is in the format of medical images like electronic health records, MRI scans, etc. Visual cryptography is an efficient method to protect secret image data by encoding it into shares and keeping in different servers. However, if the shares, stored in several servers, remain unaltered for a long time, an adversary may capture the shares one by one and in the end, break the confidentiality of the secret data. In the current paper, we propose, to the best of our knowledge, the first proactive visual cryptographic scheme for general access structures. In our scheme, the shares are embedded within meaningful cover images and are stored in different servers. The main advantage of our scheme is that the meaningful share images are updated periodically without changing the original secret image. The updating/renewal procedure makes the previous shares statistically independent from the current shares. The secret image can be reconstructed only by the lastly updated share images. This technique prevents the aforementioned attack. The renewal procedure can be performed an unlimited number of times still keeping the quality of the reconstructed image unchanged. The mathematical analyses along with the experimental results exhibit the practicality of our proposed scheme.

1 Introduction

In the modern era, steganography and cryptography play very important roles as main instruments for data hiding techniques. Particularly, they have found important applications to protect healthcare data [19], biometric data [7], genomic data [18] and medical/biological image data [3, 4, 32, 34]. On the other hand, any of the information hiding techniques and machine learning framework like generative adversarial network(GAN) can be used in a blended way [36, 38] for securing images.

A visual cryptographic scheme (VCS), on a set of n participating servers, enables a user to encode a secret image into n shares and distribute these shares among n servers. Typically, the user then deletes the image from her storage, and later she contacts the servers when she wants to recover the image. The generation of these shares is done in such a manner so that only pre-specified “qualified” subsets of servers can be contacted to recover the image. On the other hand, the shares held by any subset which are not qualified can not reveal any information about the secret image. These latter type of subsets are known as “forbidden”. Such a collection of qualified sets and forbidden sets constitute an access structure \(\mathcal {A}\) on the set of n servers. In this paper, we consider access structures where any subset of servers is either a qualified set or a forbidden set. Most commonly known access structures are (k,n)-threshold access structures where any set of shares (of size at least k) are enough to reconstruct the secret, whereas, no collection of at most k − 1 shares reveal any information about the secret.

Naor and Shamir [24] introduced and formalized the notion of visual secret sharing (a.k.a visual cryptography) and provided a methodology that did not require any computer participation for the recovery of secret images. This was made possible by using Boolean operation “OR” during the reconstruction process. “OR” based visual cryptography was later extended in [1, 2, 5, 11, 28] to general access structures and in [10, 12, 37, 40] to generalized OR-based color visual cryptographic schemes. Most of the constructions are realized by constructing so-called basis matrices. The major problems for any OR-based visual cryptographic scheme are the huge share size (pixel expansion) and very poor contrast of the reconstructed image.

To improve upon the quality (contrast) of the superimposed image, several attempts were made. Tuyls et al. [35] put forward a new model of VCS based on the polarization of light where the underlying mathematical operation was the Boolean “XOR” operation. In [35] the authors constructed a XOR-based (n,n)-VCS and proved that a XOR-based (2,n)-VCS is equivalent to a binary code. For further reading on the topic the reader may refer to [21, 41, 42]. All these papers have the common property that all of them are non-monotonic in nature, i.e., a superset of the minimal qualified set may not get the secret back. In the case of Liu et al. XOR-based step construction for general access structures [21], the pixel expansion is less when compared to other constructions in the literature. Several papers [17, 26, 29], used Liu et al.’s step based construction for general access structures [21] as building block.

Other models of sharing secret images include polynomial based image sharing schemes [14, 30, 33, 43] and the Chinese Remainder Theorem (CRT) based schemes [8, 20, 22, 39].

In this paper, we consider “XOR” operation based visual cryptographic schemes only.

1.1 Motivation & objective

Protecting data for long term. Data that are stored digitally sometimes require protection throughout their whole lifetime which may be varying depending on the nature of data and could be very long. One of the most important protection goals is confidentiality which means that only authorized servers/users can access the data and nobody else. The example of storing health-related data is an important case in point. The data must be securely stored at least as long the patients are alive. Another important issue in the context of such long-term storage is the issue of availability of the data i.e. the data can be retrieved at any point of time by legitimate users. Information theoretically secure secret sharing provides one methodology towards creating a system that can provide above mentioned “security” properties.

In a k-out-of-n secret sharing scheme, any k shares are enough to reveal/reconstruct the secret. If the shares are stored for a relatively long period, then it is only a matter of time that an adversary breaks into a sufficient number of servers (in this case, k many servers) and reconstructs the secret. In this case, the confidentiality of the secret data is lost if they are left alone for a long period. Such an adversary is called a mobile adversary who captures servers gradually over a period of time. The mobile adversary setting was originally presented in the context of secure systems by Ostrovsky and Yung [25].

One of the most important known approaches to address long-term confidentiality of secret data is to use proactive secret sharing (PSS) which was introduced by Herzberg et al. [16]. To prevent a mobile adversary from being able to collect enough shares over time to reconstruct the data, the shares are renewed periodically. After every renewal process, the servers stores the new shares which are generated as the outcome of the renewal process, and deletes the old shares. Note that, the renewal process must ensure that the shares before the renewal and after the renewal must be statistically independent; otherwise they may reveal nontrivial information about the secret entity.

Proactive secret sharing generally is built on secret sharing schemes which are linear - i.e. the secret is a linear combination/sum of chosen shares. Such linear secret sharing schemes exist and in fact, the first secret sharing scheme of Shamir [31] is linear. This immediately effects an inclusion of update/renewal procedure of the shares – every server or server independently generates shares of the value 0 in accordance with the access structure and send those values to every other server; the servers then update their existing share by adding the values which they receive from others. Since during the renewal process every server chooses 0 and secret shares the value among all the servers, the procedure along with the linearity property of underlying secret reconstruction together imply that the original secret remains the same but the shares are updated.

We refer to the share renewal process of Herzberg et al. [16] when the servers behave semi-honestly during the share update protocol. The process can further be modified to resist attacks from malicious servers which have been taken care of by using a verifiable secret sharing technique. For more details, we refer to the work of [16].

Related works on secret image data. Although there exist a plethora of works to ensure proactive security for secret sharing schemes and their applications, not much research has been carried out in the context of secret image data sharing which has its own challenges and applications. To the best of our knowledge, the only works which have addressed the issue are by Guo et al. [15] and Trujillo et al. [13]. The work of Guo et al. [15] is based on a proactive linear integer secret sharing scheme proposed by Ma and Ding [23]. They have meaningful shadows with reasonable embedding capacity and the secret image can be reconstructed losslessly. One drawback of their proposal is that the share renewal procedure could be performed only a limited number of times. Trujillo et al. [13] considered security against state- of-the-art machine learning algorithms to break the steganographic security and proposed scheme which is resilient to such attacks.

Challenges for VCS. The area of secret image sharing is closely related to the area of general secret sharing. On the other hand, visual cryptography follows a model concretely defined by [24] which differs from the security model of general secret sharing. Therefore, the constructions and the realizations of VCS differ significantly from those of Secret Image sharing. It introduces certain challenges to achieve the proactive nature of VCS and thus suitable modifications are required – they cannot be achieved directly from the constructions of [13, 15]. To point out one of the main difficulties, we refer to the basic constructions of XOR-based schemes [9, 35] etc. where the shares are generated by constructing so-called “basis matrices” where random column permutations are applied on the columns and each row is given as the shares to the servers. It is not very hard to see that such a construction cannot be used to achieve proactivity because the servers then must know the exact column permutation in order to introduce proactive nature in the scheme. However, revealing the permutation seriously affects the security of the scheme. We can only bypass the difficulty if we give multiple shares to the servers for each secret pixel.

Applications to storing medical images. The patient’s confidentiality regarding his/her treatment is of vital importance and should be protected. It is the right of an individual that his/her personal and medical information is kept confidential. Individuals rely upon Cloud Storage Providers (CSP) for storing their information due to the lack of storage space in their personal gadgets. The main concern in cloud storage is its confidentiality. To obtain confidentiality users will store the secret image in the form of secret shares in various CSP and reconstruct the secret image back by combining the shares [27].

Figure 1 shows two cover images, secret MRI image and reconstructed MRI image for the qualified subset ({Ser₁,Ser₂,Ser₃}). Figure 2 shows the experimental results of generated meaningful cover shares of the participants in the qualified subsets ({Ser₁,Ser₂,Ser₃} and {Ser₁,Ser₃,Ser₄}) of Γ, after “proactively” renewing the shares of secret MRI image. Detailed explanation for this experiment is given in Section 4.2.

Fig. 1

Experimental results on PS-2(DC) (Section 4.2) for access structureΓ = {{Ser₁,Ser₂,Ser₃}, {Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}: (a) Cover Image 1, (b) Cover Image 2, (c) Secret MRI, (d) Reconstructed output after first share renewal procedure

Fig. 2

(a-f) Cover shares of servers Ser₁, Ser₂, Ser₃, Ser₄ after first renewal using PS-2(DC) for access structure Γ = {{Ser₁,Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}

1.2 Our contribution

In this work, we put forward a proactive visual cryptographic scheme for general access structures. To the best of our knowledge, this is the first work on a proactive visual cryptographic scheme. We take “XOR” based constructions in order to include share update/renewal procedure into the system. We have taken a generic approach where a XOR-based visual cryptographic scheme for general access structures can be upgraded to achieve proactive security. In particular, we have considered two methodologies of constructing underlying basic XOR-based VCS. The first one uses linear algebraic technique on a finite field of size 2 and the second one is using a step construction technique which partitions the access structure and then uses (2,2)- sharing protocol iteratively till all the servers are exhausted. There is no limit to the number of renewal protocols performed by the servers. The quality of the reconstructed secret image remains the same all throughout the lifetime of the secret image. One of the important features in our work that makes it more applicable in practice is the lossless recovery of secret images. Table 1 shows the comparison of our proposed schemes with related works.

Table 1 Comparison with other schemes

We have provided experimental analysis on the pixel expansion and the quality of the reconstructed image. In the later part of the paper, we have used cover images as in steganography to spawn meaningful shares on top of “proactive” ness of the schemes. As already mentioned previously, this work has one very important application in the field of storing medical images.

2 Preliminaries

In the following, we define the basic terminologies required for the rest of the paper. Table 2 shows the notations used in the paper with its corresponding descriptions.

Table 2 Notations

2.1 XOR based visual cryptographic scheme (XVCS)

Let S be an n × m Boolean matrix and let \(X \subset \mathcal {P}\). By S[X] we denote the matrix obtained by restricting the rows of S to the indices belonging to X. Further, for any \(X \subset \mathcal {P}\) the vector obtained by Implementing the Boolean XOR operation “⊕”, to the rows of S[X] is denoted by S_X. The Hamming weight of the row vector which represents the number of ones in the vector S_X is denoted by w(S_X).

Definition 1

Let \(\mathcal {P}=\{1,2,3,\ldots ,n\}\) be a set of servers. An access structure on \(\mathcal {P}\) is defined by a tuple Γ = (Γ_QM,Γ_FM) such that Γ_QM ∩Γ_FM = ∅. Γ_QM denotes a collection of subsets of \(\mathcal {P}\) and each subset is called a minimal qualified set. On the other hand, Γ_FM is known as the collection of maximal forbidden subsets of \(\mathcal {P}\).

Definition 2

Let \(\mathcal {P}=\{1,2,3,\ldots ,n\}\) be a set of servers and Γ be an access structure defined on \(\mathcal {P}\). A XOR-based visual cryptographic scheme (XVCS) on \(\mathcal {P}\) satisfies the following two conditions:

1. 1.

   Any minimal qualified set of servers can recover the secret.

2. 2.

   Any forbidden set of servers does not have any information about the secret image.

In the following, we give a standard definition of an XVCS through basis matrices.

Definition 3 (Basis Matrices 9, 35)

An XVCS on an access structure Γ is realized using two n × m binary matrices S⁰ and S¹ called basis matrices, if there exist two sets of non-negative real numbers \(\{\alpha _{X}\}_{X \in {\Gamma }_{QM}}\) and \(\{t_{X}\}_{X \in {\Gamma }_{QM}}\) such that the following two conditions hold:

1. 1.

   (contrast) If X ∈Γ_QM, then \(S^0_X\), the “XOR” of the rows indexed by X of S⁰, satisfies \( w(S^0_X) \leq t_{X} -\alpha _{X} \cdot m;\) whereas, for S¹ it results in \(w(S^1_X) \geq t_{X}\).

2. 2.

   (security) If Y = {i₁,i₂,…,i_s}∈Γ_FM then the two s × m matrices S⁰[Y ] and S¹[Y ] obtained by restricting S⁰ and S¹ respectively to rows i₁,i₂,…,i_s are identical up to a column permutation.

The number m is called the pixel expansion of the scheme. Also α_X and α_X ⋅ m respectively denote the relative contrast and contrast of the recovered image reconstructed by the minimal qualified set X.

Definition 4

(Collection of Matrices [9, 35]) Let \(\mathcal {P}=\{1,2,3,\ldots ,n\}\) be a set of servers. Let Γ = (Γ_QM,Γ_FM) be an access structure defined on \(\mathcal {P}\). Let m and \(\{h_X\}_{X \in {\Gamma }_{QM}}\) be non-negative integers satisfying 1 ≤ h_X ≤ m. Two collections of n × m binary matrices \(\mathcal {C}_{0}\) and \(\mathcal {C}_{1}\) realizes XVCS on Γ, if there exists {α_X > 0 : X ∈Γ_QM} such that

1. 1.

   For any \(S \in \mathcal {C}_{0}\), the “XOR” operation of the rows of S[X] for any minimal qualified set X ∈Γ_QM results in a vector v₀ satisfying w(v₀) ≤ h_X − α_X ⋅ m.

2. 2.

   For any \(T \in \mathcal {C}_{1}\), the “XOR” operation of the rows of T[X] for any minimal qualified set X results in a vector v₁ satisfying w(v₁) ≥ h_X.

3. 3.

   Any forbidden set Y ∈Γ_FM has no information on the shared image. Formally, the two collections of |Y |× m matrices D_t, with t ∈{0,1}, obtained by restricting each n × m matrix in C_t to rows indexed by Y are indistinguishable in the sense that they contain the same matrices with the same frequencies.

2.2 Linear Algebraic Construction of XVCS [9]

Dutta and Adhikari [9] provided an efficient linear algebra based construction of XVCS realizing any (k,n) threshold access structure. In their construction method, the \(\dbinom {n}{k}\) many minimal qualified sets B₁,…,B_q (where \(q=\dbinom {n}{k}\)) are partitioned into {(B₁,B₂),(B₃,B₄),…,(B_q− 1,B_q)} if q is even or {(B₁,B₂),(B₃,B₄), …,(B_q− 2,B_q− 1),(B_q)} if q is odd. For each participant i, assign a variable x_i. For each size 2 subset (B_r− 1,B_r) consider the following systems of equations

$$ \left . \begin{array}{cl} \displaystyle\sum\limits_{s \in B_{r-1}}x_{s}=&0 (mod~2)\\ \displaystyle\sum\limits_{t \in B_{r}}x_{t}=&0 (mod~2)\\ (x_{u})_{u \notin B_{r-1}\cup B_{r}}&=\textbf{0} \end{array} \right \} {\cdots} (r) \text{~~~and~~~~} \left . \begin{array}{cl} \displaystyle\sum\limits_{s \in B_{r-1}}x_{s}=&1 (mod~2)\\ \displaystyle\sum\limits_{t \in B_{r}}x_{t}=&1 (mod~2)\\ (x_{u})_{u \notin B_{r-1}\cup B_{r}}&=\textbf{0} \end{array} \right \} {\cdots} (r^{\prime}) $$

If q is odd then the last system is defined as \(\displaystyle \sum\limits_{s \in B_{q}}x_{s}=0 (mod~2) \) (or 1(mod 2)) along with \((x_u)_{u \notin B_q}=\textbf {0}\) \(S^0_r\) denote the Boolean matrix whose columns are all possible solutions of the system (r). Also, let \(S^1_r\) denote the Boolean matrix whose columns are all possible solutions of the system \((r^{\prime })\). Let (S⁰,S¹) denote the pair of Boolean matrices obtained by the concatenations: S⁰=\({S^{0}_{2}}||{S^{0}_{4}}||{\cdots } ||S^{0}_{\lceil \frac {q}{2}\rceil }\) and S¹=\({S^{1}_{2}} ||{S^{1}_{4}}||{\cdots } ||S^{1}_{\lceil \frac {q}{2}\rceil }\). It was shown in [9] that the pair (S⁰,S¹) obtained in the above manner admits basis matrices realizing k-out-of-n XVCS.

2.3 Step construction of XVCS by Liu et al. [21]

Let C₀ = \(\Bigg \{\left \{\begin {array}{c} 1\\1 \end {array}\right \},\left \{\begin {array}{c} 0\\0 \end {array}\right \} \Bigg \}\) and C₁ = \(\Bigg \{ \left \{\begin {array}{c} 1\\0 \end {array}\right \},\left \{\begin {array}{c} 0\\1 \end {array}\right \} \Bigg \}\) be the two collections of matrices used for sharing a 0 and 1 pixel respectively in XOR based (2,2)-VCS. Here the reconstructed image RI is same as the secret image SI. Liu et al. [21] in 2010 developed a non-monotonic step construction by recursively calling XOR based (2,2)-VCS. In step construction, each server holds different number of shares, so that the average pixel expansion (APE) was introduced instead of pixel expansion. The APE [21] is defined as the average value of the total pixel expansions of the share images that each server holds. The APE and relative contrast of step construction is better when compared to other results and is given in Table 1 of paper [17]. Step construction was developed based on the following definitions and theorem.

Definition 5

(Equivalent servers [21]) Let (Γ_QM,Γ_FM) be an access structure on P. If servers p_i and p_j satisfy that, for all A ∈Γ_FM, p_i ∈ A if and only if p_j ∈ A, then server p_i and p_j are considered to be equivalent servers on Γ_QM, denoted by \({p}_{i}\sim {p}_{j}\).

The relation \(\sim \) is an equivalence relation on P. Let \(\widetilde {{P}}\) be the quotient set derived from P based on \(\sim \). The following definition shows how to simplify the access structure based on equivalent servers.

Definition 6

(Simplifying access structure [21]) The simplified access structure based on the equivalent servers is \(\widetilde {{\Gamma }_{QM}}\) = {\(\widetilde {{A}}\): A ∈Γ_QM }, where the set \(\widetilde {{A}}\) = {\(\tilde {{p}_{i}}\in \widetilde {{P}}\): p_i ∈ A} is called the corresponding set of A and \(\widetilde {{p}_{i}}\) is called the equivalence class of p_i. Γ_QM is called the most simplified access structure when \(\widetilde {{\Gamma }_{QM}}\) = Γ_QM.

Theorem 1

[21] Let \(\widetilde {{\Gamma }_{QM}}\) = {\(\widetilde {{A}}\): A ∈Γ_QM }. By distributing the same share to the equivalent servers, any construction of VCS for the \(\widetilde {{\Gamma }_{QM}}\) is also a construction of VCS for the Γ_QM.

For a detailed description of the share generation procedure for any access structure, we refer to the paper by Liu et al. [21]. The basic idea is to divide/partition the given access structure into simpler sub-access structures and apply (2,2)-XVCS iteratively for each simplified sub-access structure to generate the shares for the servers. In the following, we describe the main steps of the share generation algorithm through Example 1.

Example 1

Let Ser = {Ser₁,Ser₂,Ser₃,Ser₄} and SI = \(\begin {bmatrix} 1 & 0 \end {bmatrix}\) denote the set of servers and secret image respectively. Let Γ_QM = {{Ser₁,Ser₂},{Ser₁,Ser₃}, {Ser₂,Ser₃,Ser₄}} be the collection of minimal qualified sets. The step construction by Liu et al. [21] for XVCS divides Γ_QM into two parts Γ₁ = {{Ser₁,Ser₂},{Ser₁,Ser₃}} and Γ₂ = {{Ser₂,Ser₃,Ser₄}}. Then dealer performs the following steps. 1) For Γ₁: \({Ser}_2\sim {Ser}_3\), so implement (2,2)-scheme on SI to spawn two random shares say, \({A}_{1}=\begin {bmatrix} 0 & 1 \end {bmatrix}\) and \({B}_{1}=\begin {bmatrix} 1 & 1 \end {bmatrix}\). Assign A₁ to Ser₁ and B₁ to both Ser₂ and Ser₃. 2) For Γ₂: Implement (2,2)-scheme on SI to spawn two new random shares \({A}_{2}=\begin {bmatrix} 0 & 0 \end {bmatrix}\) and \({B}_{2}=\begin {bmatrix} 1 & 0 \end {bmatrix}\). Implement (2,2)-scheme on B₂ to spawn shares \({A}_{3}=\begin {bmatrix} 1 & 1 \end {bmatrix}\) and \({B}_{3}=\begin {bmatrix} 0 & 1 \end {bmatrix}\).Then distribute A₂ to Ser₂, A₃ to Ser₃ and B₃ to Ser₄ respectively. So Ser₁ holds share sh_(1,1) = A₁. Ser₂ holds shares sh_(2,1) = B₁ and sh_(2,2) = A₂. Ser₃ holds shares sh_(3,1) = B₁ and sh_(3,2) = A₃. Ser₄ holds share sh_(4,1) = B₃. The individual random shares generated using Liu et al.’s step construction for XVCS are of same size of SI. Since the servers hold multiple shares, the average pixel expansion APE = (1 + 2 + 2 + 1)/4. Reconstructed image RI is exactly same as SI and can be generated jointly by

1. 1)

   Servers Ser₁ and Ser₂ by computing: RI = sh_(1,1) ⊕ sh_(2,1).

2. 2)

   Servers Ser₁ and Ser₃ by computing: RI = sh_(1,1) ⊕ sh_(3,1).

3. 3)

   Servers Ser₂, Ser₃ and Ser₄ by computing: RI = sh_(2,2) ⊕ sh_(3,2) ⊕ sh_(4,1).

2.4 VCS with Covers [6]

Meaningful shares are generally used to reduce the suspicion of(channel) attackers during the transmission of shares and facilitate share management. For VCS with covers, the share of the servers belonging to set Ser is meaningful, and is not random-looking as in conventional VCS. Let \({C}^{sp}_{{b}_1, ..,{b}_{n} }\) for, b₁, .., b_n ∈ {0,1}, be the collection of matrices to encode a pixel b_i, where i = 1 to n in the image Cov_i (meaningful images or cover images) associated to servers in set Ser in order to obtain a secret pixel sp when the transparencies associated to the servers in the set A ∈Γ_Qual are stacked together. Hence there will be a collection of 2ⁿ pairs (\({C}^{0}_{{b}_1, ..,{b}_{n}}\), \({C}^{1}_{{b}_1, ..,{b}_{n}}\)) for all possible combinations of white and black pixels in the n cover images. Let \({T}^{0}_{{b}_1, ..,{b}_{n}} = \begin {bmatrix}{S}^{0} \ || \ {H}\end {bmatrix} \in {C}^{0}_{{b}_1, ..,{b}_{n}}\) and \({T}^{1}_{{b}_1, ..,{b}_{n}} = \begin {bmatrix}{S}^{1} \ || \ {H}\end {bmatrix} \in {C}^{1}_{ {b}_1, ..,{b}_{n}}\) where, S⁰ (resp. S¹) are the basis matrices of a based perfect black VCS [5] and when “OR” ing the rows of H matrix corresponding to the servers in the Γ_QM (qualified set), an all one row vector will obtain. This implies that T⁰ (resp. T¹) are basis matrices of a perfect black extended VCS for sharing 0 (resp. 1) pixel in SI. Example 2 illustrates this extended VCS construction.

Example 2

Let Ser = {Ser₁,Ser₂,Ser₃} be the set of servers. Let the minimal qualified set is denoted by Γ_QM = {{Ser₁,Ser₂},{Ser₁,Ser₃},{Ser₂,Ser₃}}. Let SI \(= \begin {bmatrix} 0 & 1 \end {bmatrix}\). Let the cover images used are \({Cov}_1 = \begin {bmatrix} 1 & 1 \end {bmatrix}\), \({Cov}_2 = \begin {bmatrix} 0 & 0 \end {bmatrix}\) and \({Cov}_3 = \begin {bmatrix} 1 & 0\end {bmatrix}\). Let \({S}^{0} = \left [ \begin {array}{cccc} 1 & 1 & 0 & 1 \\ 1 & 1 & 0 & 1 \\ 1 & 1 & 0 & 1 \end {array}\right ]\) and \({S}^{1} = \left [ \begin {array}{cccc} 1 & 1 & 0 & 1 \\ 1 & 1 & 1 & 0 \\ 1 & 0 & 1 & 1 \end {array}\right ]\). For sharing a 0 pixel and 1 pixel, the Boolean matrices used are \({T}_{101}^{0} = \left [ \begin {array}{cccc||ccc} 1 & 1 & 0 & 1 & 1 & 1 & 1 \\ 1 & 1 & 0 & 1 & 0 & 1 & 1 \\ 1 & 1 & 0 & 1 & 1 & 1 & 1 \end {array}\right ]\) and \({T}_{100}^{1} = \left [ \begin {array}{cccc||ccc} 1 & 1 & 0 & 1 & 1 & 1 & 1\\ 1 & 1 & 1 & 0 & 0 & 1 & 1 \\ 1 & 0 & 1 & 1 & 1 & 0 & 1 \end {array}\right ]\) respectively. The pixel expansion and relative contrast of Ateniese et al. [6] scheme, for this access structure (Γ_QM,Γ_FM) is 7 and 1/7 respectively.

The following two sections contain the main results of the proactive visual cryptographic scheme. In Section 3, we describe the basic proactive schemes without cover images and later in Section 4, we will extend the basic scheme to include meaningful cover images.

3 Proactive VCS (PS) without covers

In this section, we present two efficient proactive XOR-based visual cryptographic schemes (XVCS) for any general access structure. The first proactive scheme (PS-1) follows a linear algebraic construction methodology (Fig. 3). The second scheme (PS-2) uses the step construction technique of Liu et al. [21] for generating the shares of secret pixel values. We describe the renewal procedures and perform a comparative analysis of the two schemes. We observe that the renewal procedure does not affect the quality of the reconstructed image for both schemes.

Fig. 3

Experimental results based on PS-1 for access structure Γ = {{Ser₁,Ser₂},{Ser₂,Ser₃}, {Ser₃,Ser₄}}: (a) Secret image, (b-g) shares of servers Ser₁,Ser₂, Ser₃,Ser₄ with out any renewals, (h-j) Reconstructed outputs without any renewals, (k-p) shares of servers after second renewal, (g-i) Reconstructed outputs at time t = 2

3.1 Proactive linear algebraic XVCS (PS-1)

We begin with describing the basic visual cryptographic scheme for general access structure following linear algebra-based methodology on binary finite field Z₂. Dutta and Adhikari [9] proposed a linear algebraic construction of XVCS for any threshold access structures but their construction was through basis matrices which are unsuitable for incorporating proactivity into the system. The following construction resolves that problem and we will be able to add a renewal procedure to update the shares.

Let Γ =(Γ_QM,Γ_FM) be a (general) access structure on a set of n servers. The share generation algorithm share_Γ is as follows. We associate a Boolean variable x_i to each server i for all i= 1,2,…,n. B ∈Γ_QM is a typical representative of a minimal qualified set in the access structure. We arrange the elements of Γ_QM in some order according to our choice say, e.g., lexicographic order, B₁,B₂,…,B_r.

For each B_q where 1 ≤ q ≤ r consider the equations: \(f_{B_{j}}=0\) and \(f_{B_{j}}=1\) which respectively denote the linear equations \(\displaystyle \sum\limits_{k \in B_{j}}x_{k}=0 (mod~2)\) and \(\displaystyle \sum\limits_{k \in B_{j}}x_{k}=1 (mod~2)\). Also, denote by \(C_j = \mathcal {P} \setminus B_j\) i.e. those servers who are not in B_j. Further, let \(\boldsymbol {\mathcal {F}}_{\mathbf {C}_{\mathbf {i}}}=\mathbf {0}\) denote the following system of linear equations:

$$ x_{i_{1}}=0,~x_{i_{2}}=0, \ldots, ~x_{i_{t_{i}}}=0. $$

where \(C_i=\{x_{i_{1}},x_{i_{2}},\ldots ,x_{i_{t_{i}}}\}\).

We consider the following systems of linear equations over the field Z₂: For 1 ≤ i ≤ r,

$$ \left . \begin{array}{cl} f_{B_{i}}&=0\\ \boldsymbol{\mathcal{F}}_{\mathbf{C}_{\mathbf{i}}}&=\mathbf{0} \end{array} \right \} {\cdots} (i) ~~~~~~\text{and}~~~~~~~ \left . \begin{array}{cl} f_{B_{i}}&=1\\ \boldsymbol{\mathcal{F}}_{\mathbf{C}_{\mathbf{i}}}&=\mathbf{0} \end{array} \right \} {\cdots} (i^{\prime}) $$

Let for any 1 ≤ i ≤ r, \(S^0_i\) denote the Boolean matrix whose columns are all possible solutions of the system (i). Also, let \(S^1_i\) denote the Boolean matrix whose columns are all possible solutions of the system \((i^{\prime })\). That is, if we choose the entries indexed by the servers in B_i from any column of \(S^0_i\), then those entries satisfy the equation \(\displaystyle \sum\limits_{k \in B_{i}}x_{k}=0 (mod~2)\). Same is the intuition for \(S^1_i\). The above observations show that when a qualified set B_i of shares are “superposed” then they reconstruct the white/black pixel perfectly.

The share generation algorithm share_Γ is summarized in Fig. 4. Note that, the share generation algorithm assigns multiple shares to a server and in fact, for every minimal qualified set in the access structure, a share is assigned to a server. Example 3 shows the share generation procedure.

Fig. 4

share_Γ(b): share generation algorithm for a secret pixel b

The reconstruction procedure is simple. When a qualified set Q ∈Γ_QM of servers submits shares for reconstruction then a minimal qualified set \(B \subseteq Q\) of shares are chosen and the secret is reconstructed using the shares corresponding to that minimal qualified set.

A Fact from Linear Algebra. It is a well known fact that if we consider two systems of linear equations (written using the matrix notation) Ax = 0 and Ax = b where b≠ 0, then all possible solutions of the second system can be obtained by adding (i.e., addition of solution vectors) one particular solution of the second system to each solution of the first system.

Remark 1

The methodology followed to construct \(S^0_i\) and \(S^1_i\) (as described above) shows that each block \(S^1_i\) can be obtained from \(S^0_i\) by adding a particular solution of the system \((i^{\prime })\) to each column of \(S^0_i\). Therefore, it is not so hard to see that for a forbidden set F of servers the restricted submatrix \(S^0_i[F]\) (which contains only the rows corresponding to the indices in F) is equal to \(S^1_i[F]\) (maybe the columns are permuted).

Example 3

Let Ser = {Ser₁,Ser₂,Ser₃,Ser₄} and SI \(= \begin {bmatrix} 0 & 1 \end {bmatrix}\) denote the set of servers and secret image respectively. Let the minimal qualified set is denoted by Γ_QM = {{Ser₁,Ser₂},{Ser₂,Ser₃},{Ser₃,Ser₄}}. (1) In order to spawn shares for the secret pixel 0 solve the equations x₁ ⊕ x₂ = 0; x₁ ⊕ x₃ = 0; x₃ ⊕ x₄ = 0 and construct the three matrices \({S}_1^{0} = \left [ \begin {array}{cc} 0 & 1 \\ 0 & 1 \\ 0&0 \\ 0 & 0 \end {array}\right ]\); \({S}_2^{0} = \left [ \begin {array}{cc} 0 & 1 \\ 0 & 0 \\ 0&1 \\ 0 & 0 \end {array}\right ]\); \({S}_3^{0} = \left [ \begin {array}{cc} 0 & 0 \\ 0 & 0 \\ 0&1 \\ 0 & 1 \end {array}\right ]\). To spawn the shares of the servers choose one column randomly and distribute the entries to the servers. Suppose we choose first column of \({S}_1^{0}\), second column of \({S}_2^{0}\) and second column of \({S}_3^{0}\) then the shares of Ser₁ are {0,1,0}. shares of Ser₂ are {0,0,0}, for Ser₃ are {0,1,0} and for Ser₄ are {0,0,1}.

(2) In order to spawn shares for the secret pixel 0 solve the equations x₁ ⊕ x₂ = 1; x₁ ⊕ x₃ = 1; x₃ ⊕ x₄ = 1 and construct the three matrices \({S}_1^{1} = \left [ \begin {array}{cc} 0 & 1 \\ 1 & 0 \\ 0&0 \\ 0 & 0 \end {array}\right ]\); \({S}_2^{1} = \left [ \begin {array}{cc} 0 & 1 \\ 0 & 0 \\ 1&0 \\ 0 & 0 \end {array}\right ]\); \({S}_3^{1} = \left [ \begin {array}{cc} 0 & 0 \\ 0 & 0 \\ 0&1 \\ 1 & 0 \end {array}\right ]\).

As before we can choose random columns to spawn shares for the servers.

We now have the following theorem.

Theorem 2

For a given access structure Γ on a set of servers \(\mathcal {P}\), the share generation algorithm \(\textsf {share}_{\Gamma ,\mathcal {P}}\) as described in Fig. 4 admits an XVCS satisfying the conditions of Definition 4.

3.1.1 Share update process (PS-1)

Initial Setup & Input : Let SI, D, Ser_u for 1 ≤ u ≤ n, y_u and Γ =(Γ_QM,Γ_FM) respectively denote the secret image, dealer, n servers, number of shares hold by u^th server Ser_u and a general access structure. Initially D runs share_Γ(SI) using share generation algorithm presented in Fig. 4 to spawn sh_(u,j) for 1 ≤ u ≤ n, 1 ≤ j ≤ y_u and distributes them with Ser_u for 1 ≤ u ≤ n respectively.

Share Renewal process at time t : Suppose at time t − 1 the shares (after t − 2 renewals) of the servers are \({Ush}_{({u}, {j})}^{(t-1)}\) for 1 ≤ u ≤ n, 1 ≤ j ≤ y_u. Each server Ser_u for 1 ≤ u ≤ n perform following steps:

1. 1.

   Run share_Γ(0) to spawn \({sh}_{({u},{k}, {j})}^{t}[0]\) for 1 ≤ k ≤ n, 1 ≤ j ≤ y_u

2. 2.

   Stores \({sh}_{({u},{u}, {j})}^{t}[0]\) and sends (through a secure channel) \({sh}_{({u},{k}, {j})}^{t}[0]\) to server Ser_k for all 1 ≤ k(≠u) ≤ n, 1 ≤ j ≤ y_u.

3. 3.

   Compute \(\texttt {othS}_{({u}, {j})}^{t}[0] = \oplus _{k \neq u}{sh}_{({k},{u}, {j})}^{t}[0]\) for all 1 ≤ k(≠u) ≤ n, 1 ≤ j ≤ y_u.

4. 4.

   Outputs \({Ush}_{({u}, {j})}^{(t)} \longleftarrow {Ush}_{({u}, {j})}^{(t-1)} \oplus {sh}_{({u},{u}, {j})}^{t}[0] \oplus \texttt {othS}_{({u}, {j})}^{t}[0]\).

5. 5.

   Lastly, each server stores this updated value \({Ush}_{({u}, {j})}^{(t)}\) into it and deletes the old share.

3.1.2 Secret reconstruction phase

The reconstruction procedure remains the same as the underlying XVCS which has been used as the basic building block - viz., any minimal set B of servers can submit their shares corresponding to B and simply output the “exclusive-or” (xor) of the shares. It is not hard to see that since at each share renewal step, 0 is shared by all the servers therefore, by the linearity of the reconstruction process the correct secret is output even after t many renewal procedures.

Table 3 shows the pixel expansion and relative contrast of PS-1 for some of the access structures. Experimental results of PS-1 is provided in Fig. 3 for access structure Γ = {{Ser₁,Ser₂},{Ser₂,Ser₃},{Ser₃,Ser₄}}. The reconstructed output is same as secret image when the qualified subsets of servers (eg: {Ser₁,Ser₂}) combine their corresponding shares during with out renewals(eg: sh_(1,1) ⊕ sh_(2,1)) and with renewals (eg: \({Ush}_{(1,1)}^{2}\) ⊕ \({Ush}_{(2,1)}^{2}\)).

Table 3 Average Pixel expansion (APE) and relative contrast for some access structures on at most four servers: APE is computed by averaging the total pixels stored by all servers for each secret pixel divided by the number of servers; APE in PS-1 is no better than PS-2

3.2 Proactive step construction based XVCS (PS-2)

We now describe our second scheme which is more efficient in terms of pixel expansion (share size) and the comparison with the previous construction can be found in Table 3.

3.2.1 Share update process (PS-2)

Initial Setup & Input : Let SI, D, Ser_u for 1 ≤ u ≤ n, y_u and Γ =(Γ_QM,Γ_FM) respectively denote the secret image, dealer, n servers, number of shares hold by u^th server Ser_u and a general access structure. Initially D runs share generation algorithm based on Liu et al. [21] discussed in Section 2.3 to spawn sh_(u,j) for 1 ≤ u ≤ n, 1 ≤ j ≤ y_u and distributes them with Ser_u for 1 ≤ u ≤ n respectively.

Share Renewal process at time t : Similar to given in Section 3.1.1. The only modification is that the share (of 0) generated by each server during the renewal process follows the step construction of Liu et al. for the given access structure.

3.2.2 Secret reconstruction phase

Same as secret reconstruction algorithm based on Liu et al. [21] discussed in Section 2.3.

Tables 3 and 4 shows the pixel expansion and relative contrast of PS-2 for some of the access structures. Detailed explanation of PS-2 is given in Example 4. Experimental results of PS-2 is provided in Fig. 5 for Γ = {{Ser₁, Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}. The reconstructed output is same as secret image when the qualified subsets of servers (eg: {Ser₁,Ser₂,Ser₃}) combine their corresponding shares without renewals (eg: sh_(1,1) ⊕ sh_(2,1) ⊕ sh_(3,1)) and with renewals (eg: \({Ush}_{(1,1)}^{2}\) ⊕ \({Ush}_{(2,1)}^{2}\) ⊕ \({Ush}_{(3,1)}^{2}\)).

Table 4 Pixel expansion and relative contrast for (k, n) access structures: PS-2(SC) is for single cover & PS-2(DC) stands for different covers

Fig. 5

Experimental results based on PS-2 for access structure Γ = {{Ser₁,Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}: (a) Secret image, (b-i) shares of servers Ser₁, Ser₂, Ser₃ and Ser₄ without any renewals, (j) Reconstructed output without any renewals, (k-r) shares of servers after second renewal, (s) Reconstructed output at time t = 2

Example 4

Consider same server set Ser, secret image SI and access structure Γ_QM as given in Example 1. Then Ser₁ holds share \({{Ush}_{(1,1)}^{0}}={sh}_{(1, 1)}\), Ser₂ holds shares \({{Ush}_{(2,1)}^{0}}={sh}_{(2, 1)}\) and \({{Ush}_{(2,2)}^{0}}={sh}_{(2, 2)}\), Ser₃ holds shares \({{Ush}_{(3,1)}^{0}}={sh}_{(3, 1)}\) and \({{Ush}_{(3,2)}^{0}}={sh}_{(3, 2)}\), Ser₄ holds share \({{Ush}_{(4,1)}^{0}}={sh}_{(4, 1)}\). Let \({Z} = \begin {bmatrix} 0 & 0 \end {bmatrix}\). Then as per step construction by Liu et al. developed on XOR operation it is possible to divide Γ_QM into two parts Γ₁ = {{Ser₁,Ser₂},{Ser₁,Ser₃}} and Γ₂ = {Ser₂,Ser₃,Ser₄}. The tasks done by each server Ser_u for 1 ≤ u ≤ n are listed below.

Ser₁ will do the following.

1. 1)

   In the case of Γ₁, \({Ser}_2\sim {Ser}_3\), so Implement (2,2)-scheme on Z to spawn two shares \({A}_{1}=\begin {bmatrix} 1 & 0 \end {bmatrix}\) and \({B}_{1}=\begin {bmatrix} 1 & 0 \end {bmatrix}\). Then store \({sh}_{(1,1,1)}^{1}[0]= {A}_{1}\), send \({sh}_{(1,2,1)}^{1}[0]={B}_{1}\) to Ser₂ and \({sh}_{(1,3,1)}^{1}[0]={B}_{1}\) to Ser₃ respectively.

2. 2)

   In the case of Γ₂, again Implement (2,2)-scheme on Z to spawn two new shares \({A}_{2}=\begin {bmatrix} 0 & 1 \end {bmatrix}\) and \({B}_{2}=\begin {bmatrix} 0 & 1 \end {bmatrix}\). Implement (2,2)-scheme on B₂ to spawn shares \({A}_{3}=\begin {bmatrix} 1 & 1 \end {bmatrix}\) and \({B}_{3}=\begin {bmatrix} 1 & 0 \end {bmatrix}\).Then distribute \({sh}_{(1,2,2)}^{1}[0]={A}_{2}\) to Ser₂, \({sh}_{(1,3,2)}^{1}[0]={A}_{3}\) to Ser₃ and \({sh}_{(1,4,1)}^{1}[0]={B}_{3}\) to Ser₄ respectively.

Ser₂ will do the following.

1. 1)

   In the case of Γ₁, \({Ser}_2\sim {Ser}_3\), so Implement (2,2)-scheme on Z to spawn two shares \({A}_{1}=\begin {bmatrix} 0 & 1 \end {bmatrix}\) and \({B}_{1}=\begin {bmatrix} 0 & 1 \end {bmatrix}\). Then send \({sh}_{(2,1,1)}^{1}[0]= {A}_{1}\) to Ser₁, store \({sh}_{(2,2,1)}^{1}[0]={B}_{1}\) and send \({sh}_{(2,3,1)}^{1}[0]={B}_{1}\) to Ser₃ respectively.

2. 2)

   In the case of Γ₂, again Implement (2,2)-scheme on Z to spawn two new shares \({A}_{2}=\begin {bmatrix} 1 & 0 \end {bmatrix}\) and \({B}_{2}=\begin {bmatrix} 1 & 0 \end {bmatrix}\). Implement (2,2)-scheme on B₂ to spawn shares \({A}_{3}=\begin {bmatrix} 1 & 1 \end {bmatrix}\) and \({B}_{3}=\begin {bmatrix} 0 & 1 \end {bmatrix}\).Then store \({sh}_{(2,2,2)}^{1}[0]={A}_{2}\), send \({sh}_{(2,3,2)}^{1}[0]={A}_{3}\) to Ser₃ and \({sh}_{(2,4,1)}^{1}[0]={B}_{3}\) to Ser₄ respectively.

Similarly Ser₃ and Ser₄ will do the same process as mentioned above.

Now each server Ser_u for 1 ≤ u ≤ n can do the share update process as shown below.

Ser₁ will do the following.

1. 1)

   Compute \(\texttt {othS}_{(1,1)}^{1}[0] = {sh}_{(2,1,1)}^{1}[0]\oplus {sh}_{(3,1,1)}^{1}[0]\oplus {sh}_{(4,1,1)}^{1}[0]\).

2. 2)

   Outputs \({Ush}_{(1,1)}^{(1)} \longleftarrow {Ush}_{(1,1)}^{0} \oplus {sh}_{(1,1,1)}^{1}[0] \oplus \texttt {othS}_{(1,1)}^{1}[0]\).

Ser₂ will do the following.

1. 1)

   Compute \(\texttt {othS}_{(2,1)}^{1}[0] = {sh}_{(1,2,1)}^{1}[0]\oplus {sh}_{(3,2,1)}^{1}[0]\oplus {sh}_{(4,2,1)}^{1}[0]\) and \(\texttt {othS}_{(2,2)}^{1}[0] = {sh}_{(1,2,2)}^{1}[0]\oplus {sh}_{(3,2,2)}^{1}[0]\oplus {sh}_{(4,2,2)}^{1}[0]\)

2. 2)

   Outputs \({Ush}_{(2,1)}^{(1)} \longleftarrow {Ush}_{(2,1)}^{0} \oplus {sh}_{(2,2,1)}^{1}[0] \oplus \texttt {othS}_{(2,1)}^{1}[0]\) and \({Ush}_{(2,2)}^{(1)} \longleftarrow {Ush}_{(2,2)}^{0} \oplus {sh}_{(2,2,2)}^{1}[0] \oplus \texttt {othS}_{(2,2)}^{1}[0]\).

Similarly Ser₃ and Ser₄ will compute and output shares.

Then, reconstructed image RI is same as SI and is generated jointly by

1. 1)

   Servers Ser₁ and Ser₂ by doing: \({RI}={Ush}_{(1, 1)}^{1}\oplus {Ush}_{(2, 1)}^{1}\).

2. 2)

   Servers Ser₁ and Ser₃ by doing: \({RI}={Ush}_{(1, 1)}^{1}\oplus {Ush}_{(3, 1)}^{1}\).

3. 3)

   Servers Ser₂, Ser₃ and Ser₄ by doing: \({RI}={Ush}_{(2, 2)}^{1}\oplus {Ush}_{(3, 2)}^{1}\oplus {Ush}_{(4, 1)}^{1}\).

The average pixel expansion of the scheme is APE \(= \frac {1 +(1 + 1) + (1 + 1 ) + 1}{4} = 1.5\).

4 Proactive VCS with meaningful cover images

VCS with cover shares was proposed by Ateniese et al. [6] in 2001. Praveen et al. [17] in 2019 proposed a VCS with with cover shares, by extending step construction by Liu et al. [21]. In this section, we present two efficient proactive XOR-based visual cryptographic schemes (XVCS) for any general access structure with meaningful shares. In the first proactive scheme with meaningful shares (PS-2(SC)) we use the same cover images for construction, while in the second scheme (PS-2(DC)) different cover images are used for constructing shares on top of our PS-2 scheme. We describe the renewal procedures and perform a comparative analysis of the two schemes. We observe that the renewal procedure does not affect the quality of the reconstructed image for both schemes. The tuning procedure included in our modified reconstruction algorithm guarantees the lossless retrieval of the secret image. In Figs. 6 and 9 we give an outline of the procedures.

Fig. 6

Algorithmic stages of our construction (PS-2(SC)): SC stands for same cover

4.1 Proactive XVCS with same covers for general access structure (PS-2(SC))

Let D, Ser_u for 1 ≤ u ≤ n, y_u and Γ =(Γ_QM,Γ_FM) respectively denote the dealer, n servers, number of shares hold by server Ser_u for 1 ≤ u ≤ n and a general access structure.

4.1.1 Permutation share and Expanded cover share generation

Corresponding to each pixel in the cover image {Cov(g,h) : 1 ≤ g ≤ p,1 ≤ h ≤ q}, the dealer D will do the following.

1. 1.

   Implement a random column permutation to the matrix De = \(\left [\begin {array}{ccc}1 & 0 & 1 \end {array}\right ]\) and append De with the share M.

2. 2.

   The same cover pixel Cov(g,h) is appended three times with the share Ecov.

Now dealer D will send M and Ecov of size p × 3q to each server Ser_u for 1 ≤ u ≤ n. The detailed procedure for generating M and Ecov is shown below.

4.1.2 Meaningful share generation process

In order to spawn meaningful shares Csh_(u,j) for 1 ≤ u ≤ n, 1 ≤ j ≤ y_u from random looking shares sh_(u,j) corresponding to each server Ser_u, dealer D will make use of the same Permutation share M. Further, the same Permutation share M is used by each server Ser_u to update their shares during a particular time period. Corresponding to each server Ser_u, if the value of M_(g,h,t) == 0: assign the meaningful share pixel Csh_(u,j)(g,h) as random looking share pixel sh_(u,j)(g,h), otherwise append the meaningful share pixel Csh_(u,j)(g,h) as the cover pixel Cov(g,h), for 1 ≤ g ≤ p,1 ≤ h ≤ q,1 ≤ c ≤ 3. The detailed procedure for generating meaningful shares Csh_(u,j) is given below.

4.1.3 Proactive share generation and update process

1. 1.

   Initially dealer D will do share generation process using PS-2 by giving secret image SI input to generate random shares sh_(u,j) for 1 ≤ u ≤ n, 1 ≤ j ≤ y_u.

2. 2.

   Then D runs the Permutation share and Expanded cover share generation phase.

3. 3.

   Then run Meaningful share generation process which add covers to random shares sh_(u,j) and obtain meaningful shares Csh_(u,j) for 1 ≤ u ≤ n, 1 ≤ j ≤ y_u.

Share Renewal process at time t (PS-2(SC)) : Suppose at time t − 1 the shares (after t − 2 renewals) of the servers are \({UCsh}_{({u}, {j})}^{(t-1)}\) for 1 ≤ u ≤ n, 1 ≤ j ≤ y_u. Each server Ser_u for 1 ≤ u ≤ n performs the following steps:

1. 1.

   Run share generation process using XOR based step construction of Liu et al. [21] scheme with input image as all zero image.

2. 2.

   Then run Meaningful share generation process which add covers to random shares \({sh}_{({u},{k}, {j})}^{t}[0]\) and obtain meaningful shares \({Csh}_{({u},{k}, {j})}^{t}[0]\) for 1 ≤ k ≤ n, 1 ≤ j ≤ y_u.

3. 3.

   Stores \({Csh}_{({u},{u}, {j})}^{t}[0]\) and sends (through a secure channel) \({Csh}_{({u},{k}, {j})}^{t}[0]\) to server Ser_k for all 1 ≤ k(≠u) ≤ n.

4. 4.

   If qualified set B ∈Γ_QM contains odd number of servers calculate \({othS}_{({u}, {j})}^{t}[0] = \oplus _{k \neq u}{Csh}_{({k},{u}, {j})}^{t}[0]\), otherwise calculate \({othS}_{({u}, {j})}^{t}[0] = \oplus _{k \neq u}{Csh}_{({k},{u}, {j})}^{t}[0] \oplus (M\odot Ecov)\). During the update process, in order to circumvent the cancelling effect of cover information from shares due to “XOR”(⊕) operation, (M ⊙ Ecov) is used to make the shares meaningful. Here (⊙) denotes “AND” operation.

5. 5.

   Compute \({UCsh}_{({u}, {j})}^{(t)} \longleftarrow {UCsh}_{({u},{j})}^{(t-1)} \oplus {Csh}_{({u},{u}, {j})}^{t}[0] \oplus {othS}_{({u},{j})}^{t}[0]\).

4.1.4 Secret reconstruction phase

1. 1.

   In the case of qualified set B ∈Γ_QM which contains even number of servers follow the same scheme given in Section 2.3 to reconstruct the original reconstructed secret RI.

2. 2.

   But in the case of qualified set B ∈Γ_QM which contains odd number of servers, first follow the same scheme given in Section 2.3 to spawn meaningful reconstructed secret MRI. For generating the original reconstructed secret RI do the following process: RI = MRI⊕ (M ⊙ Ecov).During the reconstruction process, in order to remove the cover information from MRI, (M ⊙ Ecov) is used. Here (⊙) denotes “AND” operation.

3. 3.

   Tuning Process: This process will convert RI to an image (PRI) with same as that of SI. The detailed procedure is given below.

4.1.5 Analysis on the pixel expansion & contrast

Tables 4 and 5 shows the APE and relative contrast of PS-2(SC) for some of the access structures. In this section we extended the scheme PS-2 provided in Section 3.2 by adding covers to the random shares to generate meaningful shares. It is evident from the scheme that the pixel expansion of each meaningful shares CSh corresponding to each servers, permutation share M and the expanded cover share Ecov is 3. The dealer also is sharing both M and Ecov to all servers. So APE of this scheme PS-2(SC)= 3×APE(PS-2) + 3 + 3. Here the ratio of cover pixel and secret share pixel embedded within a meaningful share block of size 1 × 3 is 0.66 and 0.33 respectively after every renewal process and is given in Table 7. Detailed explanation of PS-2(SC) is given in Example 5 and Fig. 6 as a flowchart. Experimental results of PS-2(SC) is provided in Fig. 7 for access structure Γ = {{Ser₁,Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}. The reconstructed output is same as secret image when the qualified subsets of servers (eg: {Ser₁,Ser₂,Ser₃}) combine their corresponding shares without renewals(eg: Csh_(1,1) ⊕ Csh_(2,1) ⊕ Csh_(3,1)) and with renewals (eg: \({UCsh}_{(1,1)}^{2}\) ⊕ \({UCsh}_{(2,1)}^{2}\) ⊕ \({UCsh}_{(3,1)}^{2}\)). Tables 4 and 5 shows the comparison of PS-2(SC) with other schemes.

Table 5 Average Pixel expansion (APE) and relative contrast for some access structures on at most four servers: APE using PS-2(SC) is better than using PS-2(DC)

Fig. 7

Experimental results based on PS-2(SC) for access structure Γ = {{Ser₁,Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}: (a) Secret image, (b-i) cover shares of servers Ser₁, Ser₂, Ser₃ and Ser₄, (j) Reconstructed output without any renewal, (k-r) cover shares of servers after second renewal, (s) Reconstructed output at time t = 2, (t) Cover image

Example 5

Consider same Ser, SI and Γ_QM as given in Example 1. Let the cover images used is \({Cov} = \begin {bmatrix} 0 & 1 \end {bmatrix}\), \({ECov} = \begin {bmatrix} 000 & 111 \end {bmatrix}\) and \({M} = \begin {bmatrix} 101 & 101 \end {bmatrix}\). Then after adding covers the meaningful shares are \({Csh}_{(1, 1)} = \begin {bmatrix} 000 & 111 \end {bmatrix}\), \({Csh}_{(2, 1)} = \begin {bmatrix} 010 & 111 \end {bmatrix}\), \({Csh}_{(2, 2)} = \begin {bmatrix} 000 & 101 \end {bmatrix}\), \({Csh}_{(3, 1)} = \begin {bmatrix} 010 & 111 \end {bmatrix}\), \({Csh}_{(3, 2)} = \begin {bmatrix} 010 & 111 \end {bmatrix}\), \({Csh}_{(4, 1)} = \begin {bmatrix} 000 & 111 \end {bmatrix}\). Then Ser₁ holds share \({{UCsh}_{(1,1)}^{0}}={Csh}_{(1, 1)}\), Ser₂ holds shares \({{UCsh}_{(2,1)}^{0}}={Csh}_{(2, 1)}\) and \({{UCsh}_{(2,2)}^{0}}={Csh}_{(2, 2)}\), Ser₃ holds shares \({{UCsh}_{(3,1)}^{0}}={Csh}_{(3, 1)}\) and \({{UCsh}_{(3,2)}^{0}}={Csh}_{(3, 2)}\), Ser₄ holds share \({{UCsh}_{(4,1)}^{0}}={Csh}_{(4, 1)}\). Let \({Z} = \begin {bmatrix} 0 & 0 \end {bmatrix}\). Then as per step construction by Liu et al. developed on XOR operation it is possible to divide Γ_QM into two parts Γ₁ = {{Ser₁,Ser₂},{Ser₁,Ser₃}} and Γ₂ = {Ser₂,Ser₃,Ser₄}. The tasks done by each server Ser_u for 1 ≤ u ≤ n are listed below by using the same random shares generated in Example 4.

Ser₁ will do the following.

1. 1)

   In the case of Γ₁, after adding cover Cov to random shares it becomes, \({A}_{1}=\begin {bmatrix} 010 & 101 \end {bmatrix}\) and \({B}_{1}=\begin {bmatrix} 010 & 101 \end {bmatrix}\). Then store \({Csh}_{(1,1,1)}^{1}[0]= {A}_{1}\), send \({Csh}_{(1,2,1)}^{1}[0]={B}_{1}\) to Ser₂ and \({Csh}_{(1,3,1)}^{1}[0]={B}_{1}\) to Ser₃ respectively.

2. 2)

   In the case of Γ₂, after adding cover Cov to random shares it becomes, \({A}_{2}=\begin {bmatrix} 000 & 111 \end {bmatrix}\), \({A}_{3}=\begin {bmatrix} 010 & 111 \end {bmatrix}\) and \({B}_{3}=\begin {bmatrix} 010 & 101 \end {bmatrix}\).Then send \({Csh}_{(1,2,2)}^{1}[0]={A}_{2}\) to Ser₂, \({Csh}_{(1,3,2)}^{1}[0]={A}_{3}\) to Ser₃ and \({Csh}_{(1,4,1)}^{1}[0]={B}_{3}\) to Ser₄ respectively.

Ser₂ will do the following.

1. 1)

   In the case of Γ₁, after adding cover Cov to random shares it becomes, \({A}_{1}=\begin {bmatrix} 000 & 111 \end {bmatrix}\) and \({B}_{1}=\begin {bmatrix} 000 & 111 \end {bmatrix}\). Then send \({Csh}_{(2,1,1)}^{1}[0]= {A}_{1}\) to Ser₁, store \({Csh}_{(2,2,1)}^{1}[0]={B}_{1}\) and send \({Csh}_{(2,3,1)}^{1}[0]={B}_{1}\) to Ser₃ respectively.

2. 2)

   In the case of Γ₂, after adding cover Cov to random shares it becomes, \({A}_{2}=\begin {bmatrix} 010 & 101 \end {bmatrix}\), \({A}_{3}=\begin {bmatrix} 010 & 111 \end {bmatrix}\) and \({B}_{3}=\begin {bmatrix} 000 & 111 \end {bmatrix}\).Then store \({Csh}_{(2,2,2)}^{1}[0]={A}_{2}\), send \({Csh}_{(2,3,2)}^{1}[0]={A}_{3}\) to Ser₃ and \({Csh}_{(2,4,1)}^{1}[0]={B}_{3}\) to Ser₄ respectively.

Similarly Ser₃ and Ser₄ will do the same process as mentioned above. Now each server Ser_u for 1 ≤ u ≤ n can do the share update process as shown below.

Ser₁ will do the following.

1. 1)

   If qualified set B ∈Γ_QM contains odd number of servers calculate \(\texttt {othS}_{(1,1)}^{1}[0] = {sh}_{(2,1,1)}^{1}[0]\oplus {sh}_{(3,1,1)}^{1}[0]\oplus {sh}_{(4,1,1)}^{1}[0]\), otherwise calculate \(\texttt {othS}_{(1,1)}^{1}[0] = {sh}_{(2,1,1)}^{1}[0]\oplus {sh}_{(3,1,1)}^{1}[0]\oplus {sh}_{(4,1,1)}^{1}[0]\oplus ({M} \odot {Ecov})\)

2. 2)

   Outputs \({Ush}_{(1,1)}^{(1)} \longleftarrow {Ush}_{(1,1)}^{0} \oplus {sh}_{(1,1,1)}^{1}[0] \oplus \texttt {othS}_{(1,1)}^{1}[0]\).

Ser₂ will do the following.

1. 1)

   If qualified set B ∈Γ_QM contains odd number of servers calculate \(\texttt {othS}_{(2,1)}^{1}[0] = {sh}_{(1,2,1)}^{1}[0]\oplus {sh}_{(3,2,1)}^{1}[0]\oplus {sh}_{(4,2,1)}^{1}[0]\) and \(\texttt {othS}_{(2,2)}^{1}[0] = {sh}_{(1,2,2)}^{1}[0]\oplus {sh}_{(3,2,2)}^{1}[0]\oplus {sh}_{(4,2,2)}^{1}[0]\), otherwise calculate \(\texttt {othS}_{(2,1)}^{1}[0] = {sh}_{(1,2,1)}^{1}[0]\oplus {sh}_{(3,2,1)}^{1}[0]\oplus {sh}_{(4,2,1)}^{1}[0]\oplus ({M} \odot {Ecov})\) and \(\texttt {othS}_{(2,2)}^{1}[0] = {sh}_{(1,2,2)}^{1}[0]\oplus {sh}_{(3,2,2)}^{1}[0]\oplus {sh}_{(4,2,2)}^{1}[0]\oplus ({M} \odot {Ecov})\).

2. 2)

   Outputs \({Ush}_{(2,1)}^{(1)} \longleftarrow {Ush}_{(2,1)}^{0} \oplus {sh}_{(2,2,1)}^{1}[0] \oplus \texttt {othS}_{(2,1)}^{1}[0]\) and \({Ush}_{(2,2)}^{(1)} \longleftarrow {Ush}_{(2,2)}^{0} \oplus {sh}_{(2,2,2)}^{1}[0] \oplus \texttt {othS}_{(2,2)}^{1}[0]\).

Similarly Ser₃ and Ser₄ will compute and output shares. If qualified set B ∈Γ_QM contains even number of servers, reconstructed image RI is generated jointly by

1. 1)

   Servers Ser₁ and Ser₂ by doing: \({RI}={Ush}_{(1, 1)}^{1}\oplus {Ush}_{(2, 1)}^{1}\).

2. 2)

   Servers Ser₁ and Ser₃ by doing: \({RI}={Ush}_{(1, 1)}^{1}\oplus {Ush}_{(3, 1)}^{1}\).

If qualified set B ∈Γ_QM contains odd number of servers, reconstructed image RI is generated jointly by Ser₂, Ser₃ and Ser₄ by doing: \({RI}={Ush}_{(2, 2)}^{1}\oplus {Ush}_{(3, 2)}^{1}\oplus {Ush}_{(4, 1)}^{1}\oplus ({M} \odot {Ecov})\).

The average pixel expansion of the scheme is APE \(= \frac {3 +(3 + 3) + (3 + 3 ) + 3}{4} + 3 + 3 = 10.5\).

4.1.6 Experimental results on different Image quality metrics

The binary secret images and the binary cover images of size 1000×753 are shown in Fig. 8. The size of the random shares and meaningful shares (before and after renewals) are 1000×753 and 3000×753 respectively. All the images contain only two grey levels 0 and 255. The (Entropy) values corresponding to random shares, meaningful shares and meaningful shares after renewals is given in Table 6. It is clear from Table 6, the entropy values of random shares(sh) > meaningful shares (Csh and UCsh) > cover shares (Ecov). The peak signal-to-noise ratio (PSNR) and structural similarity index measure (SSIM) values measured after each renewal while embedding the shares of the secret images in to the corresponding cover images is given in Table 7. The correlation coefficients (Diagonal, Vertical, Horizontal) values corresponding to random shares, meaningful shares and meanigful shares after renewals is given in Table 8. It is clear from Table 8, the correlation coefficients values of random shares(sh) < meaningful shares (Csh and UCsh) < cover shares (Ecov).

Fig. 8

Secret images(a-c) is embedded in the cover images(d-f) respectively

Table 6 The Entropy of shares (generated from secret image - SI) and cover shares (generated by embedding shares in cover image - CI) for Γ = {{Ser₁,Ser₂,Ser₃}, {Ser₁,Ser₂,Ser₄}, {Ser₁,Ser₃,Ser₄}, {Ser₂,Ser₃,Ser₄}}

Table 7 PSNR (in dBs), SSIM & relative contrast of cover shares concerning (secret images, cover images) for Γ = {{Ser₁,Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}

Table 8 The correlation table (Diagonal, Vertical, Horizontal) of shares (generated from secret image - SI) and cover shares (generated by embedding shares in cover image - CI) for Γ = {{Ser₁,Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}

4.2 Proactive XVCS with different covers for general access structure (PS-2(DC))

In the case of PS-2(DC), meaningful share generation procedure, and reconstruction procedure is the same as given in Section 4.1. In Section 4.1, same cover image Cov is used to generate meaningful shares corresponding to the servers. Then in the case of the share renewal process and reconstruction process, servers are utilizing the expanded cover image Ecov given by the dealer. But it is possible to use multiple cover images Cov_m to generate meaningful shares corresponding to the servers. In this case also, during the share renewal process and reconstruction process, servers are utilizing the expanded cover images Ecov_m given by the dealer. Due to the usage of multiple cover images, the APE will be more compared to the scheme provided in Section 4.1. In this section, we extended the scheme PS-2 in Section 3.2 by adding multiple covers to the random shares to generate meaningful shares. A schematic description of the protocol is given in Fig. 9.

Fig. 9

Algorithmic stages of our construction(PS-2(DC)): DC stands for different covers

APE of this scheme PS-2(DC)= 2× 3 ×APE(PS-2) + 3. This scenario is explained in the Example 6. Tables 4 and 5 shows the APE of PS-2(DC) for some access structures. For Γ = {{Ser₁,Ser₂,Ser₃},{Ser₁,Ser₂,Ser₄},{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}} shares generated using PS-2(DC), after first renewal for some of the qualified subsets (eg: {Ser₁,Ser₂,Ser₃} and {Ser₁,Ser₃,Ser₄}) is shown in Figs. 1 and 2 (see Section 1). The reconstructed output is same as secret MRI image when the qualified subsets of servers (eg: {Ser₁,Ser₂,Ser₃}) combine their corresponding shares (eg: \({UCsh}_{(1,1)}^{1}\) ⊕ \({UCsh}_{(2,1)}^{1}\) ⊕ \({UCsh}_{(3,1)}^{1}\)). As per step construction by Liu et al. developed using XOR operation it is possible to divide Γ into two parts Γ₁ = {{Ser₁,Ser₂,Ser₃}, {Ser₁,Ser₂,Ser₄}} and Γ₂ = {{Ser₁,Ser₃,Ser₄},{Ser₂,Ser₃,Ser₄}}. So we can use one cover image for Γ₁ and other cover image for Γ₂.

Example 6

Let Ser = {Ser₁,Ser₂,Ser₃,Ser₄}, SI \(= \begin {bmatrix} 1 & 0 \end {bmatrix}\) and Cov_m denotes the set of servers , secret image and m cover images respectively. Let the minimal qualified set is Γ_QM = {{Ser₁,Ser₂},{Ser₁,Ser₃},{Ser₂,Ser₃,Ser₄}}. Then as per step construction by Liu et al. developed on XOR operation it is possible to divide Γ_QM into two parts Γ₁ = {Ser₁,Ser₂},{Ser₁,Ser₃}} and Γ₂ = {{Ser₂,Ser₃,Ser₄}}. Then dealer will do the following.

1. 1)

   In the case of Γ₁, \({Ser}_2\sim {Ser}_3\), so Implement (2,2)-scheme on SI to spawn two shares \({A}_{1}=\begin {bmatrix} 0 & 1 \end {bmatrix}\) and \({B}_{1}=\begin {bmatrix} 1 & 1 \end {bmatrix}\). Then distribute A₁ to Ser₁ and B₁ to both Ser₂ and Ser₃ respectively.

2. 2)

   In the case of Γ₂, again Implement (2,2)-scheme on SI to spawn two new shares \({A}_{2}=\begin {bmatrix} 0 & 0 \end {bmatrix}\) and \({B}_{2}=\begin {bmatrix} 1 & 0 \end {bmatrix}\). Implement (2,2)-scheme on B₂ to spawn shares \({A}_{3}=\begin {bmatrix} 1 & 1 \end {bmatrix}\) and \({B}_{3}=\begin {bmatrix} 0 & 1 \end {bmatrix}\).Then distribute A₂ to Ser₂, A₃ to Ser₃ and B₃ to Ser₄ respectively. In the following, we elaborate on the share generation and embedding details.

1. 1.

   Ser₁ holds share sh_(1,1) = A₁ and this will be embedded in the cover image Cov₁ to generate Csh_(1,1).

2. 2.

   Ser₂ holds share sh_(2,1) = B₁ and this will be embedded in the cover image Cov₁ to generate Csh_(2,1).

3. 3.

   Ser₂ holds one more share sh_(2,2) = A₂ and this will be embedded in the cover image Cov₂ to generate Csh_(2,2).

4. 4.

   Ser₃ holds shares sh_(3,1) = B₁ and this will be embedded in the cover image Cov₁ to generate Csh_(3,1).

5. 5.

   Ser₃ holds one more share sh_(3,2) = A₃ and this will be embedded in the cover image Cov₂ to generate Csh_(3,2).

6. 6.

   Ser₄ holds share sh_(4,1) = B₃ and this will be embedded in the cover image Cov₂ to generate Csh_(4,1).

Here two cover images (m = 2) used are Cov₁ and Cov₂. So dealer need to share the following.

1. 1.

   Ecov₁ and Csh_(1,1) is shared with Ser₁.

2. 2.

   Ecov₁, Ecov₂, Csh_(2,1) and Csh_(2,2) is shared with Ser₂.

3. 3.

   Ecov₁, Ecov₂, Csh_(3,1) and Csh_(3,2) is shared with Ser₃.

4. 4.

   Ecov₂ and Csh_(4,1) is shared with Ser₄.

5. 5.

   Permutation share M is shared with all servers Ser₁, Ser₂, Ser₃ and Ser₄.

Since all the shares have pixel expansion 3, then APE = 2 × 3 × (1 + 2 + 2 + 1)/4 + 3.

5 Conclusions

Updating the secret states of servers at a regular time interval is essential for long-term storage of confidential data. If the data is in the format of an image then introducing refreshing techniques into the visual cryptographic scheme poses some challenges.Towards this, we propose proactive visual cryptographic schemes for the XOR-based schemes. Our proposal is information theoretically secure with provable security and thus provides security even against quantum computers. The updating procedure can be performed an unlimited number of times without degrading the quality of the secret image. The robustness of the proposed constructions are also validated using the Image quality metrics like PSNR, SSIM, Correlation coefficients and Entropy.