1 Introduction

In conventional cryptosystems, it is common to employ a single node to protect the secret data in an insecure network due to the advantage of easy supervision. The performance of the single node, however, is always the bottleneck of the whole security system. In 1979, Shamir first proposed the concept of (t, n) threshold secret sharing to mitigate this problem [9]. Given a set of n participants, a dealer issues each of them an individual shadow constructed from the secret data S. That is, the responsibility for protecting the secret data is distributed to a set of authorized members. Later, any t members can cooperate to reveal S by providing their secret shadows. More precisely, involved participants who possess fewer than t shadows have no more knowledge of the secret than the one with nothing. This can effectively enhance the security of secret information in an insecure network.

Thien and Lin later extended this concept to protect confidential images [10]. Due to its practicability, the secret image sharing version has been widely applied to the e-commerce, communications, and medical fields. In Thien and Lin’s (tn) threshold method, a dealer has to generate n distinct shadows from a secret image and issue them to authorized participants. Hereafter, any t participants can cooperate to reveal the secret image. Based on this method, Zhao et al. introduced the concept of cheater identification into the secret image sharing mechanism [2, 46, 14]. Their method allows authorized members to confirm the validity of the shadows. If a dishonest participant provides a fake shadow for this cooperation, legal users can become aware of this attempt. Nevertheless, neither [10] nor [6] can provide a meaningful shadow image. Delivering meaningless shadow images over an insecure channel may attract attackers’ attention to the secret information.

Lin and Tsai offered a version, in which each shadow is meaningful [7]. The meaningfulness of the shadow can decrease the potential risk. In 2007, Wang and Shyu created the scalable secret image sharing (SSIS) mechanism for sharing a secret image to a group of participants [12]. The feature of scalability refers to the fact that the revealed secret information is proportional to the number of collected shadows. That is, the secret is disclosed gradually. Yang and Huang extended SSIS to a t-out-of-n version in 2010 [11, 13, 15, 17], where a qualified group of participants includes t participants and 2 ≤ t ≤ n. Inheriting the properties from previous SSIS schemes, Yang and Chu provided a new SSIS mechanism [16], in which the essential of smooth scalability must be confirmed. Specifically, the secret information can be exposed smoothly proportional to the number of gathered shadows.

So far, SSIS schemes cannot offer involved participants meaningful shadows to enhance security. In particular, the revealed parts of the secret are randomly distributed. This may violate the principle of scalable secret sharing: the more shadows we collect, the more secrets we get. That is to say, the key secret may be disclosed even by stacking two shadows. Without loss of generality, the most important information of an image shall be revealed at the final stage. Inspired by this, we aim to design a brand-new SSIS scheme based on the Saliency map and Aryabhata remainder theorem (ART), in which the ROIs of secret image can be revealed selectively [3, 8]. That means the main secret can only be exhibited when all shadows are gathered. Aside from preserving the property of smooth scalability, the new scheme can further provide meaningful shadows for each participant in order to reduce the attention of malicious intruders and allow legal users to verify if the gathered shadow is tampered [1].

The rest of this article is organized as follows. We introduce ART and Shamir’s secret sharing technique in Section 2. The proposed new mechanism is described in Section 3, followed by experimental results in Section 4. We finally make conclusions in Section 5.

2 Related work

2.1 Shamir’s secret sharing

The (tn) threshold mechanism was firstly proposed by Shamir [9] in 1979. A dealer has to construct n shadows (S 1, S 2, …, S n ) from the secret data S. Without t or more shadows, no one can restore the secret data S. To divide S into n shadows, the dealer chooses a prime m and generates a (t − 1)-degree polynomial

$$ F(x)=\left({a}_o+{a}_1x+\dots +{a}_{t-1}{x}^{t-1}\right) \mod\ m, $$

where a 0 = S and coefficients a 1, a 2, …, a t − 1 are randomly decided from the integers within [0, m − 1]. The dealer then computes

$$ {y}_1=F(1),{y}_2=F(2),\dots, {y}_n=F(n). $$

Finally, the dealer sends secret shadows y i ’s to involved participants.

Given any t pairs of {(i, y i )} n i = 1 , involved participants can reconstruct F(x) by the Lagrange interpolation polynomial [13]. Hence, they can recover all coefficients a 0, a 1, …, a t − 1 of F(x) to learn the secret data S.

2.2 Aryabhata remainder theorem (ART)

Let m 1 and m 2 be two coprime moduli and M = m 1 m 2. The congruence system,

$$ \begin{array}{c}\hfill x\equiv {b}_1\left( \mod \kern0.5em {m}_1\right),\hfill \\ {}\hfill x\equiv {b}_2\left( \mod \kern0.5em {m}_2\right),\hfill \end{array} $$

has a unique solution under modulus M, and the solution can be given by

$$ \begin{array}{c}\hfill x=\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left({b}_1,{b}_2;{m}_1,{m}_2;M\right)\hfill \\ {}\hfill =\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left(0,c;{m}_1,{m}_2;M\right)+{b}_1\hfill \\ {}\hfill ={m}_1\left(\left(c\cdot {m}_1^{-1}\right) \mod \kern0.5em {m}_2\right)+{b}_1,\hfill \end{array} $$
(1)

where c = (b 2 − b 1)mod m 2.

Example

Find x such that x≡2 (mod 3), x≡3 (mod 5), and x≡2(mod 7).

Solution

x can be obtained by the ART twice:

  1. Step 1:

    Solve \( {x}_1=\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left(2,\kern0.5em 3;\kern0.5em 3,\kern0.5em 5;\kern0.5em 15\right) \)

    $$ \begin{array}{c}\hfill {x}_1=\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left(2,\kern0.5em 3;\kern0.5em 3,\kern0.5em 5;\kern0.5em 15\right)\hfill \\ {}\hfill =\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left(0,\kern0.5em 1;\kern0.5em 3,\kern0.5em 5;\kern0.5em 15\right)+2\hfill \\ {}\hfill =3\cdot \left(\left(1\cdot {3}^{-1}\right)\kern0.5em \mod \kern0.5em 5\right)+2\hfill \\ {}\hfill =3\cdot 2+2=8\hfill \end{array} $$
  2. Step 2:

    Compute

    $$ \begin{array}{c}\hfill x=\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left({x}_1,2;15,7;105\right)\hfill \\ {}\hfill =\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left(8,2;15,7;105\right)\hfill \\ {}\hfill =\mathcal{A}\mathrm{\mathcal{R}}\mathcal{T}\left(0,1;15,7;105\right)+8\hfill \\ {}\hfill =15\cdot \left(\left(1\cdot {15}^{-1}\right) \mod \kern0.5em 7\right)+8\hfill \\ {}\hfill =15\cdot 1+8=23\hfill \end{array} $$

Utilizing the iterative method as the solution procedure mentioned above, it is easy to extend ART to the case of t moduli. Here, we omit the algorithm for the t moduli case and the proof of ART; for details, refer to [8].

3 The proposed method

The proposed (t, n)-SSIS scheme can be divided into two phases: sharing and decrypting. Notations used are listed below.

I :

The selected secret image with size |I|.

P(.):

The partition function, which is used to divide the secret image into n equal sub-images according to Saliency map [3].

E t,n (.):

Encoding function of a polynomial-based (t, n)-SIS scheme [17].

D t,n (.):

Decoding function used to reverse E t,n (.) processing [17].

I j :

The jth sub-image with size I j  = |I|/n, where j ∈ (1, n).

\( \overline{I_j} \) :

The outcome of stacking j shadows, where k ≤ j ≤ n.

\( \overline{I_j^i} \) :

The ith sub-shadow of jth sub-image, where i ∈ [1, n] and j ∈ [k, n].

O j :

The jth occupancy map with size 2n × 2n bits, where j ∈ [1, n].

\( \overline{O_j^i} \) :

The ith sub-shadow of jth occupancy map, where i ∈ [1, n] and j ∈ [k, n].

SP ij s :

The shared pixel in the position (i, j) of the sth cover image, where s ∈ [1, n].

B ij s :

The four-pixel block with position (i,j) within the sth cover image, where s ∈ [1, n].

\( \overline{B_s^{ij}} \) :

The four-pixel block with position (i, j) in the sth stego image, where s ∈ [1, n].

\( \overline{X_s^{ij}},\overline{V_s^{ij}},\overline{W_s^{ij}},\overline{Z_s^{ij}} \) :

The four pixel values in the block with position (i, j) in the sth stego image, where s ∈ [1, n].

PC ij :

The pixel collection of the t pixels in the secret image with the position (i, j).

3.1 The sharing phase

The flowchart of this phase is illustrated in Fig. 1. The Saliency map of secret image I is first retrieved according to [3], and I is partitioned into 2n × 2n grids. Afterward, the saliency map, i.e., the ROIs, is used to guide the selection of grids to generate both the sub-images and occupancy maps. Then, t sub-shadows are derived from each of the sub-images using the (t, n) polynomial-based SIS scheme. By combining these sub-shadows, the remaining (n-t) shadows are obtained. Finally, we embed the shadows into the selected cover image and insert the authentication watermark to protect the integrity of the stego images.

Fig. 1
figure 1

The flowchart of sharing phase

Full size image
  1. Step 1.

    The secret image is partitioned into (n − t + 1) sub-images and counterparts of occupancy maps by P(.) [3]. The size of one sub-image is (t × |I|)/n, in which the number of selected grids is t × 2n × 2n/n, and other n − t sub-images are sized of (|I|)/n with 2n × 2n/n grids. The location of selected grids is recorded as the occupancy map.

  2. Step 2.

    As the modulus used in the polynomial E t,n (.) is set to GF(28), such that the 8-bit pixel can be encrypted lossless and without additional pixels. Every t pixels of the sub-images and occupancy maps can form a pixel collection. Furthermore, PC ij can be applied to generate n shared pixels SP ij1 , SP ij2 , …, SP ij n to be embedded into the blocks B ij1 , B ij2 , …, B ij n , respectively, within the n cover images. The PC ij is hidden in the coefficients a 0, a 1, …, a t − 1 in the polynomial function. Input the decimal value of the five MSBs of the pixel into the polynomial function to generate the shared pixel SP ij s . Consequently, we employ the function E t,n (.) to encrypt the occupancy map with the size of 2n × 2n to generate sub-shadows of occupancy maps O 11 , O 12 , …, O 1 n and the sub-image with the size of (t × |I|)/n to generate sub-shadows of sub-images I 11 , I 12 , …, I 1 n . Similarly, we encrypt other occupancy maps and sub-images by E t + 1,n (.), E t + 2,n (.),…, E n,n (.), respectively.

  3. Step 3.

    We then combine the sub-shadows progressively to generate the shadows S 1, S 2, …, S n .

  4. Step 4.

    The binary bits of the shared pixel SP ij s (s 1, s 2, … s 8) is embedded into the block by replacing the eight bits x 6 x 7 v 6 v 7 w 6 w 7 z 6 z 7.

  5. Step 5.

    To prevent malicious faking, we employ the ART-based authentication method to protect the integrity of the stego images. First, we retrieve the former seven bits of the four pixels within \( \overline{B_s^{ij}} \) to form four new values as A s ij1 , A s ij2 , A s ij3 , A s ij4 . Let A s ij5  = i, A s ij6  = j. Next, the six moduli that are relatively primes m S ij1 , m S ij2 , …, m S ij6 are determined, where each modulus is the prime number greater than A s ija and 1 ≤ a ≤ 6. Finally, the integer Y s ij is computed by Eq. (1). The binary bits of Y s ij is shown as (y 1 y 2 … y e ). Note that the number of these binary bits has to be a multiple of four. Then, the four authentication bits can be obtained as follows:

    $$ \begin{array}{r}\hfill \left({c}_1{c}_2{c}_3{c}_4\right)=\left({y}_1{y}_2{y}_3{y}_4\right)\oplus \left({y}_5{y}_6{y}_7{y}_8\right)\\ {}\hfill \oplus \cdots \oplus \left({y}_{e-3}{y}_{e-2}{y}_{e-1}{y}_e\right)\end{array} $$
    (2)

    If the four watermark bits are t 1, t 2, t 3, t 4, the four check bits p 1, p 2, p 3, p 4 can be calculated as

    $$ \left({p}_1{p}_2{p}_3{p}_4\right)=\left({c}_1{c}_2{c}_3{c}_4\right)\oplus \left({t}_1{t}_2{t}_3{t}_4\right) $$
    (3)

    Then, we replace the four LSBs x 8 v 8 w 8 z 8 with the checked bits p 1, p 2, p 3, p 4. Here we have

    $$ \begin{array}{ll}\overline{X_s^{ij}}={x}_1{x}_2{x}_3{x}_4{x}_5{s}_1{s}_2{p}_1,\hfill & \overline{V_s^{ij}}={v}_1{v}_2{v}_3{v}_4{v}_5{s}_3{s}_4{p}_2,\hfill \\ {}\overline{W_s^{ij}}={w}_1{w}_2{w}_3{w}_4{w}_5{s}_5{s}_6{p}_3,\hfill & \overline{\ {Z}_s^{ij}}={z}_1{z}_2{z}_3{z}_4{z}_5{s}_7{s}_8{p}_4.\hfill \end{array} $$
  6. Step 6.

    Repeat the sharing procedure until all pixels of the modified secret image have been processed. Next, the stego images are acquired and transmitted to the legal participants.

3.2 Decrypting phase

To ensure that the secret image can be reconstructed correctly, the stego images should be authenticated first. If the combined stego images are completed, then the secret image can be retrieved progressively by the (t, n)-based SSIS decryption method.

  1. Step1.

    Each of the stego images is divided into a set of blocks with four pixels. We retrieve the former seven bits of the four pixels within \( \overline{B_s^{ij}} \) to form four new values as \( \overline{A_{ij1}^s},\overline{A_{ij2}^s},\overline{A_{ij3}^s},\overline{A_{ij4}^s} \). Then, we set \( \overline{A_{ij5}^s}=i,\kern0.5em \overline{A_{ij6}^s}=j \) and employ Eq. (2) to gain the authentication bits. We apply the watermark bits together with the authentication bits to compute the check bits \( \overline{p_1},\overline{p_2},\overline{p_3},\overline{p_4} \). If the acquired check bits are identical to the hidden bits p 1, p 2, p 3, p 4, this block is verified successfully, and a shared pixel (s 1, s 2, …, s 8) is achieved. This authentication and revealing procedure is repeated progressively until the hidden shared pixels of the proposed stego images are gained.

  2. Step2.

    We subsequently use the function D t,n (.) to decrypt the t shadows S 1, S 2, …, S t and obtain the progressive outcome \( \overline{I_j} \).

  3. Step3.

    We apply the function E t + 1,n (.) to decrypt the \( \overline{I_j} \) and S t + 1 based on the polynomial interpolation to obtain \( \overline{I_{j+1}} \).

  4. Step4.

    We repeat the above decryption process for all stego images to guarantee the integrity of the shadows and to reconstruct the secret image progressively and completely.

4 Experimental result and comparisons

We employed the Python to conduct all simulations using Intel 1.3GHz CPU. We first adopted the (3, 5)-polynomial based SSIS scheme as an example to demonstrate the secret sharing process of the proposed method. The generated five meaningful shadows are depicted as Fig. 2a through e. The stacking result of Fig. 2a through c is displayed as Fig. 2f, and the outcome of Fig. 2a through d is shown as Fig. 2g. The final effect of stacking all shadows is shown as Fig. 2h. According to human visual perception, the quality of these shadows is satisfactory. Thus, it is difficult for an intruder to be aware of any secret hidden in the images.

Fig. 2
figure 2

ae shadows, f outcome of three shadows, g outcome of four shadows; h outcome of five shadows

Full size image

As for Fig. 2f through h, it is clear that the kernel of the secret can unfold progressively. This can prevent the selected important region of the secret from being exhibited unless all shadows are collected. In particular, the revealed secret is proportional to the number of collected shadows, which complies with the concept of scalability.

On the other hand, the stacking effects of [16, 17] are shown in Fig. 3. The first row displays the result of Yang and Huang’s (3, 5)-polynomial based SSIS scheme. Figure 3a displays the outcome of combing three meaningless shadows; Fig. 3b illustrates the result of four shadows; and Fig. 3c reveals a complete secret. It is clear that the stacking result can not comply with the essential of smooth scalability. The second row of Fig. 3 offers the result of Yang and Chu’s (3, 5)-polynomial based SSIS scheme. Figure 3d displays the effect of stacking three meaningless shadows; Fig. 3e shows the result of four shadows; and Fig. 3f reveals a final secret. Although the revealed secret information is also proportional to the number of collected shadows, people can easily figure out the main content of secret by stacking four shadows. In fact, this has violated the principle of scalable secret image sharing. Recalling to the results of Fig. 2f, g, and h, the main secrets are recovered only under the situation that all the shadows are gathered. It is due to the help of Salient object detection technique. Without loss of generality, the detected ROIs are the representative features of a secret image. The more number of gathered shadows, the more ROIs can be revealed in the new method.

Fig. 3
figure 3

Stacking results of [17] and [16]

Full size image

To highlight the ability to mitigate the potential risk of attackers’ consciousness, we conducted simulations of related state-of-the-art works [7, 15], which are (2, 4) scalable secret image sharing methods. These two methods are known for the excellent quality of the generated meaningful shadows. The result comparisons are shown in Fig. 4. The reason that we adopted the (2, 4) version is that it can offer the best performance of these two mechanisms. Undoubtedly, the quality of the meaningful shadows of the two related works and of the proposed mechanism is satisfactory according to human visual perception. Nevertheless, higher PSNR values are obtained from the proposed mechanism.

Fig. 4
figure 4

Shadow evaluation for the (2, 4) secret image sharing schemes: a the shadows of [15]; b the shadows of [7]; c the shadows of the proposed scheme

Full size image

Verification of shadows is seldom concerned in the scalable secret image sharing schemes. With the explosive increase of network crimes, no one can guarantee that shadows will not be modified by outside attackers or dishonest participants. Thus, verifying the validity of shadows shall become an essential in designing a secret image sharing mechanism. With the adoption of ART, we can employ the watermark and authentication code to compute a check code in order to verify the integrity of the shadow. The verification evaluation is shown in Fig. 5. The left column contains three meaningful shadows, in which a small pumpkin is embedded in the corner. The verification results are listed in the right column. Obviously, the modified area can be marked out with a pumpkin shape.

Fig. 5
figure 5

Verification outcomes of the meaningful shadows

Full size image

To examine the verification ability of the proposed method in terms of digitalization, we employ the Verifying ratio of Shadow (VoS) in the tampered region to show its robustness. The VoS is defined as \( VoS=\frac{NPV}{NPT} \), where NPV represents the number of pixels verified as tampered, and NPT stands for the number of all tampered pixels. The results of the verification for different shadows are shown in the Table 1. Almost all modified pixels can be determined.

Table 1 VoS of the meaningful shadows
Full size table

To emphasize the contribution of the proposed mechanism, we summarize the essentials of related schemes in Table 2. Aside from complying with scalability and smooth scalability, the new method can offer meaningful shadows without pixel expansion to reduce attention from malicious attackers. To the best of our knowledge, it is the first SSIS scheme with meaningful shadows. Furthermore, it is equipped with verification ability to enhance the robustness of shadows. This achievement can greatly help to avoid dishonest behavior in retrieving a secret. To underline the quality of meaningful shadows, we compare the result of related secret sharing schemes offering meaningful shadows with that of the proposed scheme. According to Fig. 4, we can conclude that the new method can provide better shadow quality than related works in terms of PSNR values and visual perception.

Table 2 The functionality of related and proposed scheme
Full size table

5 Conclusions

The innovation of this article can be highlighted in the following. 1) It is the first SSIS method providing meaningful shadow, which can effectively help to reduce attention from attackers. The quality of shadows is proven to be better than secret image sharing schemes according to the simulations. 2) It is the first SSIS method offering shadow verification, in which a dishonest or invalid shadow can be detected before stacking. 3) It is the first SSIS method concerning about the secret distribution of an image, in which the ROIs can be revealed gradually.