Secret Image Sharing Revisited: Forbidden Type, Support Type, and Their Two Approaches

Abstract

In this paper, we introduce two new image-sharing types to extend the applicability of sharing. Type 1 is our so-called forbidden type. In its sharing system, any t of the n shares can recover the secret image, unless the t shares form a forbidden group listed in a forbidden list. Type 2 is our so-called cross-department support type. If a government has 3 departments {DEP_H, DEP_M, DEP_L}, then 3 thresholds (t_H, t_M and t_L) exist. Any t_H number of officers from department DEP_H can unveil the secret image, and likewise for any t_M and t_L number of officers from departments DEP_M and DEP_L, respectively. Type 2 image sharing allows a secret to be disclosed not only in an intra-department meeting but also in a cross-department meeting. In this study, both types are implemented through two approaches: the polynomial and linear-equations approaches. Hackers can be confused when two approaches are mixed. As for the applications, use Type 1 to protect sensitive information in medical or military images or legal documents; and use type 2 to support cross-department crime investigation, industrial production, etc.

1. Introduction

Secret sharing was introduced by Shamir [1] and Blakley [2] in 1979. In secret sharing, a given secret is encoded and divided into n shares, and two requirements must be met before a secret can be disclosed: a) any t of the n shares can cooperate to unveil the given secret, and b) less than t shares cannot unveil. Secret image sharing has at least two main streams. The first is visual cryptography (VC) [3], which is used for black-and-white (2-levels) images, and the second is polynomial-based sharing [4], which is used for gray-value or color images. Introduced by Naor and Shamir [3] in 1994, visual cryptography uses several transparencies as media to share the secret image, where each transparency is “larger” than the secret image in size. Building on Shamir’s (t, n) scheme, in 2002, Thien and Lin [4] proposed a (t, n) threshold scheme for sharing 256-level secret images. In [4], each share was t times “smaller” than the given secret image. For a (t, n) threshold scheme, t ≤ n always holds. The security level is controlled by the ratio t/n, where a larger t/n ratio means that more participants are required for the secret to be deciphered, and hence, prevent the betraying from a small group of participants. If every participant trusts no one else, then t = n can be set. Smaller t/n ratios are used in unstable environments (e.g., during a war or if the storage medium or Internet connection is unreliable) in which many participants may lose contact. Thus, a (t, n) system not only addresses security concerns from betrayal but also allows for tolerance toward missing shares in unstable environments. Because sharing is useful, all four aforementioned papers [1,2,3,4] have been frequently cited, particularly Shamir [1], which has had more than 10,000 citations from 1979 to 2019. Many recent studies have also focused on sharing [5,6,7,8,9,10,11,12,13,14,15,16,17,18,19]. Finally, as for image sharing, some readers may wonder why one cannot just use a key to encrypt the secret image and then share the key with authorized personnel. This is because the resultant protection of the image will be extremely weak, although the n shares of the key will be smaller in size than the n shares of the secret image. In cases of a disk failure or hacker attack on the computer storing the encrypted version of secret image, the entire secret image will be deleted “forever”.

In the present study, we attempt to extend our previous foundational study [4] on sharing to introduce two other types of sharing: the forbidden type and cross-department support type. We implement these two types first by using a polynomial approach and then by using a linear-equations approach. Notably, the polynomial approach has been widely used by researchers, but not the linear-equations approach. We list both approaches here to increase security against hackers. For example, the secret image can be divided into several parts, where odd-numbered parts use the polynomial approach, and the even-numbered parts use the linear-equations approach.

The paper is organized as follows: Section 2 outlines the basics of polynomial-based sharing. Section 3 introduces the two proposed sharing types, including our two approaches to implementing each of the two types. Section 4 discusses some details of the design, such as how to obtain independent equations for the linear-equations approach and how to mix the two approaches to increase security. Section 5 describes practical application and implementation results. Section 6 concludes this study.

2. Review of Previous Work

Thien and Lin [4] proposed a (t, n) secret image sharing scheme in 2002. Their work has had many citations. In the scheme, the input image is partitioned and distributed into n shares by using a polynomial. The size of every share is only 1/t the size of the original secret. Any t shares can reconstruct the image, whereas shares fewer than t cannot. The (t, n) secret image sharing scheme of Thien and Lin [4] is as follows:

Polynomial-based (t, n) secret image sharing

Step 1. Input a secret image. Assume it has m pixels. Permute all the pixels according to a key to obtain a noisy-looking image Q, which still has m pixels.

Step 2. Divide Q into (m/t) nonoverlapping segments so that every segment has t pixels.

Step 3. For each t-pixel segment j = 1, 2,…, m/t, use the gray values of its t pixels as the t coefficients {a₀,…, a_t−1} in the segment-dependent polynomial:

p(x) = (a₀ + a₁x + a₂x² +…+ a_t−1x ^t−1) mod Z,

(1)

Step 4. Then, for each segment, the share S_i receives a value p(i), true for each i = 1,…, n. As the segments are processed sequentially, the data size of each of the n shares also grows. Finally, when all m/t segments are processed, there are n shares. For each i = 1,…, n, the share S_i receives one value from each of the m/t segments of image Q; thus, each share S_i has m/t values. (Therefore, each share is t times smaller than the m-pixel secret image.)

In these steps, the value of Z in Equation (1) can be set to 256, if all arithmetic operations in Equation (1) are in terms of the arithmetic operations in the Galois Field GF(256). For readers who are not familiar with the Galois Field, simply set Z to be a prime number near 256. For example, a study used Z = 251 [4], with auxiliary preprocessing that splits one pixel into two pixels for each pixel whose gray value is greater than 250.

The steps to recover the secret image are also executed segment by segment. For each segment, the t coefficients {a₀,…, a_t−1} in the segment-dependent polynomial (1) is solved using Lagrangian interpolation polynomial method. We omit a discussion of this method because it can be learned through Internet resources or from any textbook on Numerical Analysis, such as [20].

3. Proposed Types and Approaches

In this section, we introduce two extended types (Types 1 and 2) of image sharing; we also demonstrate how they can be implemented by using either the polynomial approach or linear-equations approach.

Type 1 (Sharing with forbidden combinations):

To understand what Type 1 image sharing is, without loss of generality, consider 6 people {P₁,…, P₆} who share together a secret of the company. The secret is such that 3 or more people must be gathered to unveil it. Hence, the secret can be recovered by ($\frac{6!}{\left(6-3\right)!3!}$) = 20 possible combinations of personnel if no combination is forbidden. However, according to a security check, P₁, P₃, and P₅ worked for a rival company before working in ours, making them less trustworthy. The combination of these 3 employees should thus be excluded as a combination that allows access to the secret. This is an example of Type 1 image sharing with a single forbidden combination, namely, {P₁, P₃, P₅}. Of course, if the boss of our company wishes to be more careful, he can even forbid more combinations such as {P₁, P₃, x}, {P₁, P₅, x}, and/or {P₃, P₅, x}, where x can be any of the other employees (i.e., any other P_i). In the preceding example, some combinations cannot be used to gain access to the secret. We call it “sharing with forbidden combinations” and denote it as (t_participants, n_participants, f) sharing. Here,

n_participants: The number of participants who share the secret. Each participant will hold a so-called “shadow” file.

t_participants: The minimum number of people required to recover the secret. Any t_participants of the n_participants participants can recover the secret by using the their shadow files, unless the t_participants people constitute a forbidden combination.

f: The number of forbidden combinations.

For example, the preceding example is a (3, 6, 1) scheme if there is only one forbidden combination {P₁, P₃, P₅} and a (3, 6, 4) scheme if all {P₁, P₃, x} combinations are forbidden. Traditional sharing, which has no forbidden combinations, can be denoted as (t_participants, n_participants, f) = (3, 6, 0), and it is thus treated as a special case of Type 1 image sharing.

Type 2 (Sharing with cross-department support):

Without loss of generality, assume there are 3 departments, namely {DEP_H, DEP_M, DEP_L}. For officers in department DEP_H, assume any 3 of them can recover the secret. For officers in department DEP_M, assume any 4 of them can recover the same secret. For officers in department DEP_L, assume any 5 of them can recover the same secret. Notice that this one secret has 3 thresholds: t_H = 3, t_M = 4, t_L = 5. Hence, each department has its own threshold. This system can be easily implemented by repeating the traditional sharing system thrice: first, use a (t, n) = (3, n_H) sharing system to share the secret among the n_H officers of department DEP_H, then use a (t, n) = (4, n_M) sharing system to share the “same” secret among the n_M officers of department DEP_M, and then use a (t, n) = (5, n_L) sharing system to share the “same” secret among the n_L officers of department DEP_L. However, due to illness, a terrorist attack, or business trips abroad, not every officer of the same department comes to the office every day. It is thus quite possible that on some workdays, the department has insufficient personnel to unveil the secret. For the company or government to still function, an auxiliary system must be designed to allow the secret to be unveiled in such a circumstance. Our so-called “cross-department support system” is one such system, where the secret can be unveiled through the cooperation of multiple departments.

In the following section, we detail our design for these two types. Section 3.1 and Section 3.2 describe the use of the polynomial and linear-equations approaches, respectively, in implementing the two types.

3.1. Using the Polynomial Approach to Design Types 1 and 2

Type 1 (Sharing with forbidden combinations):

Without loss of generality, consider 6 participants {P₁,…, P₆} in the company, of which, any 3 can unveil the secret, unless the 3 participants constitute a forbidden combination. Examples 1 and 2 illustrate the steps in creating a sharing scheme with one and two forbidden combinations, respectively, and the Appendix A at the end of paper illustrates the cases when the number of forbidden combinations is 3 or 4. In general, the design of Type 1 is case by case, and the design of Type 2 is easier.

Example 1

(one forbidden combination). A sharing scheme with one forbidden combination is easy to design. Without loss of generality, let the only forbidden combination be the combination {P₄, P₅, P₆}. Because there are only 6 participants, we shall create 6 “shadows” for the 6 participants per the following steps 1 and 2. This results in the creation of a (t_participants = 3, n_participants = 6, f = 1) threshold scheme, where {P₄, P₅, P₆} is the only forbidden combination.

Step 1: Use (t_artificial, n_artificial) = (9, 17) in polynomial-based sharing to share the secret and obtain n_artificial = 17 shares {S₁,…, S₁₇} such that any t_artificial = 9 of them can recover the secret.

Step 2: Distribute these 17 shares to 6 participants. The distributions of the 17 shares are P₁ = {S₁, S₂, S₃}, P₂ = {S₄, S₅, S₆}, P₃ = {S₇, S₈, S₉}, P₄ = {S₁₀, S₁₁, S₁₂}, P₅ = {S₁₃, S₁₄, S₁₅}, and P₆ = {S₁₆, S₁₇, S₁₂, S₁₅}.

Note that we deliberately let the final two components of the participant P₆ be the already-used shares S₁₂ and S₁₅, which had already appeared in P₄ and P₅. By doing this, the total number of different shares in the combination {P₄, P₅, P₆} is only 3 + 3 + 2 = 8, which is less than the threshold of 9, meaning that the secret cannot be revealed. Conversely, any other combination {P_i, P_j, P_k} yields at least 9 distinct shares, and hence, can reveal the secret. Notably, for Participants P₁ to P₅, every participant holds a shadow (the data held by a participant), which is constituted by 3 shares; and each share is 9 times smaller in size than the original secret in the (9, 17) threshold scheme. Therefore, in our (t_participants = 3, n_participants = 6, f = 1) scheme, the data size of each participant P₁ to P₅ is 3 × 1/9 = 1/3 of the size of the original secret. By contrast, because P₆ holds 4 shares, the data size is 4 × 1/9 = 4/9 of the size of the original secret.

Example 2

(two forbidden combinations). Figure 1 illustrates the design.

Still assume t_participants = 3, and n_participants = 6. Hence, any 3 participants can unveil the secret, unless the 3 participants constitute a forbidden combination. In Example 2, only two combinations {P₁, P₂, P₃} and {P₄, P₅, P₆} are forbidden, hence, f = 2. These combinations may be forbidden because, for example, the groups {P₁, P₂, P₃} and {P₄, P₅, P₆} do not trust each other. Because we have 6 participants, we now create 6 shadows for these 6 participants, where each participant gets a shadow comprising some shares. As with the first step of Example 1, we still use t_artificial = 9 in the traditional polynomial sharing scheme to share the secret and obtain many shares {S₁, S₂,…, S₁₃,…}, allowing the secret to be unveiled if any 9 of the shares are used. Because the threshold for “number of shares” is 9 and P₁ = {S₁, S₂, S₃}, P₂ = {S₄, S₅, S₆}, and P₃ = {S₇, S₈, S₃, S₆}, the combination {P₁, P₂, P₃} yields only 8 shares {S₁,…, S₈}, which is still fewer than 9, and the secret cannot be unveiled. Likewise, {P₄, P₅, P₆} yields only 8 shares {S₉,…, S₁₆} because P₄ = {S₉, S₁₀, S₁₁}, P₅ = {S₁₂, S₁₃, S₁₄}, and P₆ = {S₁₅, S₁₆, S₁₁, S₁₄}. Thus, the secret cannot be unveiled under the combination {P₄, P₅, P₆}. As for the other combinations {P_i, P_j, P_k}, members in the combination can view the secret because at least 9 shares are available. The proof of the aforementioned claims is routine and thus not presented for brevity.

Table 1. Some examples of sharing with forbidden combinations.

(tparticipants, nparticipants, f)	The Assigned f Forbidden Combinations	The Shares {Si} Appeared in Each Participant’s Shadow (Underline Means This Share in Participant Pi Also Appears in Some Other Participant Pj)
(3, 6, 3) *See Appendix A.	{P1, P2, P3} {P1, P2, P4} {P1, P2, P5}	P1 = {S1, S2, S3}, P2 = {S4, S5, S6}, P3 = {S7, S8, S1, S4}, P4 = {S9, S10, S2, S5}, P5 = {S11, S12, S3, S6} Then let P6 = {S13, S14, S15} whose shares never appear in other participants. Let tartificial = 9.
(3, 6, 4). *See Appendix A.	{P1, P2, P3} {P1, P2, P4} {P1, P2, P5} {P1, P2, P6}	P1 = {S1, S2, S3, S4}, P2 = {S5, S6, S7, S8}. Then let P3 = {S1, S5, S9, S10, S11}, P4 = {S2, S6, S12, S13, S14}, P5 = {S3, S7, S15, S16, S17}, P6 = {S4, S8, S18, S19, S20} Let tartificial = 12.

presents some other examples.

Notably, because more constraints must be considered, the design is likely to become more difficult when the number of forbidden combinations increases.

Example 3

(3, n_participants, f). Sharing whose f forbidden combinations always contain a trouble-making couple P₁ and P₂. See the Appendix A for the design.

Type 2 (Sharing with cross-department support):

Let each participant belong to one of several departments, for example, 3 departments {DEP_H, DEP_M, DEP_L}. Without loss of generality, assume the parameter pair (t = threshold, n = number of people in this department) for the 3 departments are, respectively, (t_H = 3, n_H = 4) for DEP_H, (t_M = 5, n_M = 6) for DEP_M, and (t_L = 7, n_L = 7) for DEP_L. As the first step in the design, we shall assign a value to an artificial threshold t_artificial, which is larger than any given local threshold. Subsequently, we use this artificial threshold t_artificial to share the secret and thus obtain several shares such that any t_artificial shares can recover the secret. We then distribute these shares to each person of each department. In this cross-department support type, we assume that shares are not repeatedly distributed. Let each person in DEP_H, DEP_M, and DEP_L obtain, respectively, Q_H, Q_M, and Q_L shares. Then, to satisfy each department’s rule for unveiling the secret, we must have:

7 × Q_L ≥ t_artificial > 6 × Q_L,

(2)

5 × Q_M ≥ t_artificial > 4 × Q_M,

(3)

3 × Q_H ≥ t_artificial > 2 × Q_H,

(4)

Because t_artificial, Q_H, Q_M, and Q_L are all positive integers, if Q_L is 1, then Equation (2) implies 7 ≥ t_artificial > 6; hence, t_artificial = 7. Furthermore, the right-hand side of Equation (3) implies t_artificial = 7 > 4 × Q_M, which means the positive integer Q_M is 1, thus contradicting the left-hand side of Equation (3) because 5 × Q_M ≥ t_artificial then becomes 5 × 1 ≥ 7. Hence, we cannot use Q_L = 1. Thus, we try the next smallest value 2 for Q_L. Equation (2) then implies 14 ≥ t_artificial > 12. Hence, t_artificial is 13 or 14, proven as follows. If t_artificial = 13, Equation (3) becomes 5Q_M ≥ 13 > 4Q_M, which can be satisfied by Q_M = ⌈13/5⌉ = 3, and Equation (4) becomes 3Q_H ≥ 13 > 2Q_H, which can be satisfied by Q_H = ⌈13/3⌉ = 5. Similarly, if t_artificial = 14, Equation (3) becomes 5Q_M ≥ 14 > 4Q_M, which can be satisfied by Q_M = ⌈14/5⌉ = 3, and Equation (4) becomes 3Q_H ≥ 14 > 2Q_H, which can be satisfied by Q_H = ⌈14/3⌉ = 5.

Likewise, if we try the next smallest value for Q_L, 3, then Equation (2) implies 21 ≥ t_artificial > 18. Hence, t_artificial is in {19, 20, 21}. We now prove that t_artificial can be 19, 20, or 21. If t_artificial = 19, Equation (3) becomes 5Q_M ≥ 19 > 4Q_M, which can be satisfied by Q_M = ⌈19/5⌉ = 4, and Equation (4) becomes 3Q_H ≥ 19 > 2Q_H, which can be satisfied by Q_H = ⌈19/3⌉ = 7. Analogous steps can be taken to prove that t_artificial can be 20 or 21.

When we execute the preceding procedure for Q_L ≥ 2, we obtain valid values for t_artificial, namely, t_artificial ∈ {13, 14}_{when QL = 2}, {19, 20, 21}_{when QL = 3}, {25, 26, 27, 28}_{when QL = 4}, {31, 32, 33, 34, 35}_{when QL = 5}, or {37, 38, 39, 40, 41, 42}_{when QL = 6}, and so on.

We now examine the system further. For example, let the artificial threshold be 14. We can then use (t_artificial, n_artificial) = (14, 52) in the traditional polynomial-based sharing scheme to create 52 shares. Each participant in DEP_H, DEP_M, and DEP_L gets 5 = ⌈14/3⌉, 3 = ⌈14/5⌉, and 2 = ⌈14/7⌉ shares, respectively. Moreover, for any 2 participants (whether from the same department or from different departments), their set of shares do not intersect. Notably, because no intersection is allowed, any 3 DEP_H participants can hand in 3 × 5 = 15 > 14 distinct shares; any 5 DEP_M participants can hand in 5 × 3 = 15 > 14 distinct shares; and any 7 DEP_L participants can hand in 7 × 2 = 14 distinct shares. However, 2 DEP_H participants receive only 2 × 5 = 10 < 14 distinct shares; 4 DEP_M participants receive only 4 × 3 = 12 < 14 distinct shares; and 6 DEP_L participants receive only 6 × 2 = 12 < 14 distinct shares. Hence, the intra-department thresholds to unveil the secret are 3 for DEP_H, 5 for DEP_M, and 7 for DEP_L. We create 52 shares because 4 × 5 + 6 × 3 + 7 × 2 = 52. In the deciphering meeting, the secret is revealed once the total number of available shares is equal to or greater than the threshold number 14, regardless of whether the participants are from the same department.

Table 2. Solutions to unveil secret using within-department or cross-department support. The (t, n) instances are (3, 4), (5, 6), and (7, 7), respectively, for each of the 3 departments.

Possible Solutions	The Number of Participants in Three Departments
Solution 1. Only DEPH	3 DEPH participants
Solution 2. Only DEPM	5 DEPM participants
Solution 3. Only DEPL	7 DEPL participants
Solution 4.	2 from DEPH and 2 from DEPM
Solution 5.	2 from DEPH, 1 from DEPM and 1 from DEPL
Solution 6.	2 from DEPH and 2 from DEPL
Solution 7.	1 from DEPH and 3 from DEPM
Solution 8.	1 from DEPH, 2 from DEPM and 2 from DEPL
Solution 9.	1 from DEPH, 1 from DEPM and 3 from DEPL
Solution 10.	4 from DEPM and 1 from DEPL
Solution 11.	3 from DEPM and 3 from DEPL
Solution 12.	2 from DEPM and 4 from DEPL
Solution 13.	1 from DEPM and 6 from DEPL
....	.....

lists some of the many possible combinations that can be used to reveal the secret.

For the 3 departments, the size of each shadow file held by a participant is, respectively, 5/14, 3/14, and 2/14 of the original secret image size. Moreover, in the aforementioned design for cross-department sharing, the artificial threshold t_artificial is not unique, and the designers have the freedom to choose their own artificial threshold t_artificial. For example, rather than using the aforementioned t_artificial = 14, we may also use, say, t_artificial = 20, to create shares. Then each participant in DEP_H, DEP_M and DEP_L has 7 (= ⌈20/3⌉), 4 (= ⌈20/5⌉) and 3(= ⌈20/7⌉) shares, respectively. For each of the 3 departments, the shadow size is, respectively, 7/20, 4/20, and 3/20 of the size of the original secret. In addition to following the preceding steps to obtain valid values of t_artificial by checking whether Equations (2)–(4) are satisfied, another method for obtaining t_artificial is to use the least common multiple (LCM) of the threshold values of all departments. If the LCM is used, Equations (2)–(4) will be automatically satisfied: positive integer solutions for Q_H, Q_M, and Q_L necessarily exist because we can let Q_H = t_artificial/t_H, Q_M = t_artificial/t_M, and Q_L = t_artificial/t_L. Algorithm 1 shows how to use LCM to create shadows for cross-department support.

Algorithm 1. To create shadows for cross-department support

1: Set the value of tartificial to LCM (tH, tM, tL).   2: Set the value of nartificial to (tartificial/tH) × nH + (tartificial/tM) × nM + (tartificial/tL) × nL.   3: Use (tartificial, nartificial) in traditional polynomial sharing scheme to create nartificial shares.   4: for each participant in DEPH do   5: Grab (tartificial/tH) not-yet-used shares to create the shadow for this participant.   6: end for   7: for each participant in DEPM do   8: Grab (tartificial/tM) not-yet-used shares to create the shadow for this participant.   9: end for 10: for each participant in DEPL do 11: Grab (tartificial / tL) not-yet-used shares to create the shadow for this participant. 12: end for 13: return the shadow of each participant.

Remark 1: Here, the shadow size of each participant in the 3 departments are, respectively, (LCM/t_H) × (1/LCM) = 1/t_H, (LCM/t_M) × (1/LCM) = 1/t_M, and (LCM/t_M) × (1/LCM) = 1/t_L the size of the original secret. This is because, as stated in Thien and Lin [4], each share is LCM times smaller than the original secret is when t_artificial = LCM is used to create shares.

Remark 2: Many values can be used as the value of t_artificial, but they must satisfy the necessary but insufficient condition of t_artificial ≥ Max{thresholds of all departments}. We may use multiple thresholds. For example, to confuse hackers, we can use t_artificial = 19, 14, 13, 20, 21, 25, 26, 28, 27, 31, 32, 35, 34, 33, … to confuse hackers. For instance, a small part of the secret is shared using t_artificial = 19; then a small part of the secret is shared using t_artificial = 14; then certain parts of the secret are shared using t_artificial = 13; then… Since there are so many possible combinations, it will be more difficult for the hackers.

Figure 2 illustrates the design (Figure 2a–c) and the secret disclosure (Figure 2d) for a cross-department support system involving 3 departments, as described in Section 3.1. We use (t_artificial, n_artificial) = (14, 52) in traditional polynomial-based sharing to create 52 shares. Then, we distribute these 52 shares to all participants; and each participant of department DEP_H gets more shares to form their shadows.

3.2. Using the Linear-Equations Approach to Design Types 1 and 2

The linear-equations approach can be mapped from the polynomial approach. Because we already introduced the polynomial approach, we only need to know how to map from the polynomial approach to the linear-equations approach. In the polynomial approach, every participant has a shadow file comprising several shares, whereas in the linear-equations approach, every participant has a shadow file comprising several equations. For both approaches, the threshold t_artificial must be met to unveil the secret. Specifically, in the polynomial approach, participants attending a meeting must have at least t_artificial distinct shares, whereas in the linear-equations approach, participant attendees must have at least t_artificial independent equations. The linear-equations approach thus proceeds as follows.

Algorithm 2. General procedure to derive the linear-equations approach from the (tartificial,     nartificial) polynomial approach

1: Create an nartificial-by-tartificial matrix A so that any tartificial of its nartificial rows are independent.   2: Partition secret image to non-overlapping segments of tartificial pixel values each.   3: for each secret segment, Dsecret, do   4:  for k = 1 to nartificial do   5:    Calculate the inner product value IPk = Rowk ∙ Dsecret.   6:  end for   7:  for i = 1 to nparticipants do   8:    for j = 1 to nartificial do   9:      if Participant Pi gets the share Sj in the polynomial approach then   10:         Participant Pi gets the pair (Rowj, IPj) in linear equations approach.   11:       end if   12:     end for   13:   end for   14: end for   15: return the rows and inner product values collected by each participant.

Notably, every share S_j in the polynomial approach is replaced by a corresponding equation Eq_j in the linear-equations approach. Here, each equation Eq_j is formed of two parts: firstly, the t_artificial left-hand side coefficients of equation Eq_j are the t_artificial-dimensional vector Row_j; secondly, the right-hand side of equation Eq_j is the inner product value IP_j. Hence, any t_artificial independent equations can uniquely solve for the t_artificial values of the t_artificial-dimensional vector D_secret. If a participant P gets {S₁, S₂, S₅, S₇} in the polynomial approach, then that participant P also gets {Eq₁, Eq₂, Eq₅, Eq₇}, i.e. {Row_j & IP_j}_{j = 1, 2, 5, 7} in the linear-equations approach. Thus, regardless of whether a Type 1 (the forbidden type) or Type 2 (the cross-department support type) system is used, just map the method from polynomial approach to linear-equations approach, by letting the shares held by each participant be replaced by the corresponding equations, or vice versa. For example, if the polynomial approach is used, where participant P_a gets {S₁, S₂, S₅, S₇} and participant P_b gets {S₃, S₄, S₆, S₈}, to obtain the corresponding instance of the linear-equations approach, we let participant P_a get {Row_j; IP_j}_{j = 1, 2, 5, 7} and participant P_b get {Row_j; IP_j}_{j = 3,4, 6, 8}. Moreover, if rows are created using a specified process or algorithm, as discussed in Section 4.1, then each participant does not need to store the rows; for example, P_a only stores {IP_j}_{j = 1, 2, 5, 7} and P_b only stores {IP_j}_{j = 3, 4, 6, 8}.

Types 1 and 2 are detailed as follows. Example 1* is derived from Example 1 of Section 3.1, where Example 1*’s steps are such that Step 1* is derived from Step 1 of Section 3.1, Step 2* is derived from Step 2 of Section 3.1, and so on.

Type 1: Sharing with forbidden combinations

Because the linear-equations approach can be mapped from the polynomial approach, we can, without loss of generality, simply use the examples in Section 3.1 to detail such a mapping. Hence, as in Section 3.1, we still consider 6 participants (P₁,…, P₆), where any 3 of the 6 participants can unveil the secret, unless the 3 participants form a forbidden combination. Examples 1* and 2* illustrate the steps required to create the sharing scheme with one and two forbidden combinations, respectively. Every other example of Section 3.1 also has a linear-equations counterpart in this section, Section 3.2.

Example 1*

(one forbidden combination). As in Example 1 of Section 3.1, {P₄, P₅, P₆} is the only forbidden combination. Because there are 6 participants, we create 6 shadows for the 6 participants per the following steps 1* and 2*. Notably, this is a $($t_participants = 3, n_participants = 6, f = 1) threshold scheme, and {P₄, P₅, P₆} is the only forbidden combination.

Step 1*: As in Step 1 of Example 1 for the polynomial-based approach, t_artificial = 9 and n_artificial = 17. First, create a matrix with 17 rows where each row is 9-dimensional and any t_artificial of the n_artificial rows are independent. Subsequently, grab the next t_artificial = 9 not-shared-yet numbers from the secret, where these secret numbers are termed D_secret. Then, for i = 1 to i = n_artificial (1 to 17 in this case), let Eq_i be the equation (Row_i) ∙ (D_secret) = IP_i, where IP_i is the value of the inner product of the two vectors Row_i and D_secret. Notably, because any t_artificial = 9 of the n_artificial rows are independent, any t_artificial = 9 of the n_artificial equations can uniquely solve for D_secret, which has t_artificial = 9 secret numbers.

Step 2*: Distribute these 17 equations to 6 participants. Recall that in Example 1’s polynomial-based approach (Section 3.1), the distribution of shares were P₁ = {S₁, S₂, S₃}, P₂ = {S₄, S₅, S₆}, P₃ = {S₇, S₈, S₉}, P₄ = {S₁₀, S₁₁, S₁₂}, P₅ = {S₁₃, S₁₄, S₁₅}, and P₆ = {S₁₆, S₁₇, S₁₂, S₁₅}. Thus, for this corresponding instance of the linear-equations approach, we let the distribution of equations for the 6 participants be P₁ = {Eq₁, Eq₂, Eq₃}, P₂ = {Eq₄, Eq₅, Eq₆}, P₃ = {Eq₇, Eq₈, Eq₉}, P₄ = {Eq₁₀, Eq₁₁, Eq₁₂}, P₅ = {Eq₁₃, Eq₁₄, Eq₁₅}, and P₆ = {Eq₁₆, Eq₁₇, Eq₁₂, Eq₁₅}.

Similarly, the final two components of the participant P₆ already appeared in P₄ and P_5. Thus, the total number of different equations in the combination {P₄, P₅, P₆} is only 3 + 3 + 2 = 8, which is less than the threshold t_artificial = 9, meaning that the secret D_secret cannot be revealed. Conversely, any other combination {P_i, P_j, P_k} yields 9 independent equations, meaning that the 9 secret numbers in D_secret can be revealed.

Remark 3: Assume that the rule to create the independent 17-by-9 matrix A in Step 1* is from an algorithm—for example, each element a_i,j is (i)^j−1—then there is no need to store the matrix. In this case, only the right-hand side of that equation—for example, the value IP_i of the inner product for Eq_i—needs to be stored. Hence, when a 9-number D_secret is shared, every participant from P₁ to P₅ holds 3 inner product values, and P₆ holds 4 inner product values.

Example 2*

(two forbidden combinations). Similarly, assume that t_participants = 3 and n_participants = 6, meaning that any 3 participants can unveil the secret, unless the 3 participants constitute a forbidden combination. As in Example 2 of the polynomial approach, only the two combinations {P₁, P₂, P₃} and {P₄, P₅, P₆} are forbidden; hence, f = 2. Because we have 6 participants, we create 6 shadow files for these 6 participants. Each participant gets a shadow comprising some equations. As in the first step of Example 1*, we use the (t_artificial = 9, n_artificial = 16) scheme to share the 9-number secret section D_secret and obtain 16 equations {Eq₁, …, Eq₁₆}, where the 9-number secret section D_secret can be obtained if any 9 equations are used. Because the threshold for “number of equations” is 9 and P₁ = {Eq₁, Eq₂, Eq₃}, P₂ = {Eq₄, Eq₅, Eq₆}, and P₃ = {Eq₇, Eq₈, Eq₃, Eq₆}, we can see that {P₁, P₂, P₃} 3 people together only have 8 equations {Eq₁,…, Eq₈}, which is still less than 9, meaning that D_secret cannot be unveiled. Similarly, {P₄, P₅, P₆} together only have 8 equations {Eq₉,…, Eq₁₆} because P₄ = {Eq₉, Eq₁₀, Eq₁₁}, P₅ = {Eq₁₂, Eq₁₃, Eq₁₄}, and P₆ = {Eq₁₅, Eq₁₆, Eq₁₁, Eq₁₄}, meaning that D_secret also cannot be unveiled. As for the other {P_i, P_j, P_k} combinations, the secret can be revealed because at least 9 equations are available. The proofs of the preceding statements are routine and are thus not presented.

Type 2: Cross-department support system

We must demonstrate how the polynomial approach can be extended to the linear-equations approach. Without loss of generality, only demonstrate such an extension for the example where t_artificial = 14 in the cross-department support algorithm (Algorithm 1) of Section 3.1. Other examples of Type 2 in Section 3.1 can be analogously extended. In Algorithm 3, still use the parameter values used in Figure 2, namely, (t_H = 3, n_H = 4), (t_M = 5, n_M = 6), (t_L = 7, n_L = 7), and t_artificial = 14.

Algorithm 3. Linear-equations approach to cross-department support

1: Get the input thresholds {tH = 3, tM = 5, tL = 7} of all 3 departments. Also get the input    number of participants {nH = 4, nM = 6, nL = 7} of all 3 departments.   2: Use Equations (2)–(4) to find a suitable artificial threshold value tartificial =14.   3: Calculate nartificial = ⌈tartificial/tH⌉ × nH + ⌈tartificial/tM⌉ × nM + ⌈tartificial/tL⌉ × nL = ⌈14/3⌉ × 4 + ⌈14/5⌉ × 6            + ⌈14/7⌉ × 7 = 5 × 4 + 3 × 6 + 2 × 7 = 52.   4: Create a 52-by-14 matrix A such that any 14 of the 52 rows are independent.   5: Partition the secret image to non-overlapping segments of 14 pixel values each. Let nSEG      denote the total number of non-overlapping segments.   6: While there are secret segments not shared yet do   7:   Grab a tartificial-values not-yet-shared segment, Dsecret, of the secret image.   8:   for k = 1 to nartificial do   9:     Calculate the inner product value IPk = Rowk ∙ Dsecret for this segment. 10:   end for 11: end while 12: for each participant in DEPH do 13: Grab ⌈tartificial/tH⌉ = ⌈14/3⌉ = 5 of the not-yet-assigned rows of A. The participant stores    these 5 rows and the 5 × nSEG inner product values created above using these 5 rows. 14: end for 15: for each participant in DEPM do 16:  Grab ⌈tartificial/tH⌉ = ⌈14/5⌉ = 3 of the not-yet-assigned rows of A. The participant stores   these 3 rows and the 3 × nSEG inner product values created above using these 3 rows. 17: end for 18: for each participant in DEPL do 19:  Grab ⌈14/7⌉ = 2 of the not-yet-assigned rows of A. The participant stores these 2 rows    and the 2 × nSEG inner product values created above using these 2 rows. 20: end for 21: return the equation shadows, which are the stored rows and corresponding stored inner      product values, of each participant of each department.

Notably, in Algorithm 3, because any t_artificial = 14 of the n_artificial = 52 rows are independent, we can claim that any t_artificial = 14 of the n_artificial = 52 equations can solve for the secret D_secret uniquely [21,22], true for the secret D_secret of each segment. Again, if the rule to create the independent 52-by-14 matrix A is by a predetermined method or rule (see Section 4.1), then only the value IP_i of the inner product needs be stored for the equation Eq_i. Hence, when a 14-number segment D_secret is shared, every DEP_H, DEP_M, and DEP_L participant holds ⌈t_artificial/t_H⌉ = ⌈14/3⌉ = 5, ⌈t_artificial/t_M⌉ = ⌈14/5⌉ = 3, and ⌈t_artificial/t_L⌉ = ⌈14/7⌉ = 2 inner product values, respectively. The 5:3:2 ratio is identical to the 5:3:2 ratio when the polynomial approach is used. Finally, as stated in Section 3.1, t_artificial can have many possible values. Hence, to confuse hackers, we may use a sequence of dynamic thresholds such as t_artificial = 19, 14, 13, 20, 21, 25, 26, 28, 27, 31, 32, 35, 34, 33,… to share a single secret image.

4. Discussion: Other Details of the Design

Section 4.1 introduces some methods to generate linear independent equations in the linear-equations approach. Section 4.2 discusses the mixed use of the polynomial and linear-equations approaches to improve security. Section 4.3 introduces one more application type.

4.1. Generation of Linear Independent Equations

The most important thing when we use linear-equations approach is the independent relationship between linear equations. To obtain independent equations (or equivalently, to get independent vectors and use them as the left-hand side coefficients of the equations set), there are almost infinitely many possible designs. Two such methods are described as follows. The first method uses the exponential. For example, for k = 1, 2, 3,…, let vector k be ($k^0$, $k^1$, $k^2$, $k^3$…). The second method uses prime numbers. Without the loss of generality, we use t = 6. In this case, {2, 3, 5, 7, 11, 13} contains the first 6 primes and (2, 3, 5, 7, 11, 13), (3, 5, 7, 11, 13, 2), (5, 7, 11, 13, 2, 3),…, (13, 2, 3, 5, 7, 11) are 6 vectors of leftward circulation. Then we get from them the six vectors of rightward circulation: (13, 11, 7, 5, 3, 2), (11, 7, 5, 3, 2, 13), (7, 5, 3, 2, 13, 11),…, (2, 13, 11, 7, 5, 3). Any other set of 6 primes can also be used. In summary, many designs are possible, which makes it difficult for others to guess the correct values. For example, the readers can also use trigonometric functions values so that vector k uses angle k, etc.

4.2. Mixed Use of the Two Approaches

In this paper, by introducing two distinct approaches when sharing, we can confuse hackers as follows. We may divide the given secret image into several regions; then apply the polynomial approach to some regions and the linear-equations approach to others. Figure 3 illustrates one of many examples. In general, there are a large number of possible ways to partition an image into regions. This is because either of the two approaches can be chosen for each region, and region-specific parameters (for either the polynomial or linear-equations approach) can be used. This makes hacking much more difficult. For example, if we partition the image into 100 blocks, then, even if the blocks are of uniform size, and even if the hackers know that we have used 100 blocks of the same size, there are still 2¹⁰⁰ = 10³⁰ possible choices that the hackers have to sieve through before they can arrive at the correct local sharing parameters. This difficulty is compounded if other shapes, such as triangular blocks, or irregular shapes are used.

4.3. Sharing that Requires All Departments

In some circumstances, representatives from every department must be present. One example is a labor union meeting, where every department of the union must have at least one attendee to disclose a secret. We thus apply our method to this type of sharing, which we call “all-department” sharing. Without loss of generality, we still consider 3 departments: DEP_H, DEP_M, and DEP_L. For simplicity, we also assume that every department has 4 people (i.e., 4 participants). Hence,

DEP_L = {P₁, P₂, P₃, P₄}, DEP_M = {P₅, P₆, P₇, P₈}, and DEP_H = {P₉, P₁₀, P₁₁, P₁₂}.

As with the preceding examples, every participant owns a shadow. We now demonstrate how shadows can be created for these participants.

Step 1: Use traditional (t_artificial, n_artificial) = (9, 12) sharing to share the secret and obtain n_artificial = 12 shares {S₁,…, S₁₂} so that any t_artificial = 9 of the shares can unveil the secret.

Step 2: Partition these 12 shares into 3 equal parts of 4 shares each. Next, assign shares S₁–S₄ to DEP_L, S₅–S₈ to DEP_M, and S₉–S₁₂ to DEP_H. Note that each share appears in exactly one department.

Step 3: Every department can use its 4 shares to create $C_3^4$ = 4 combinations of 3 shares each. Distribute these 4 combinations to the 4 people in the department. For example,

DEP_L: P₁ = {S₁, S₂, S₃}, P₂ = {S₁, S₂, S₄}, P₃ = {S₁, S₃, S₄}, P₄ = {S₂, S₃, S₄}.

DEP_M: P₅ = {S₅, S₆, S₇}, P₆ = {S₅, S₆, S₈}, P₇ = {S₅, S₇, S₈}, P₈ = {S₆, S₇, S₈}.

DEP_H: P₉ = {S₉, S₁₀, S₁₁}, P₁₀ = {S₉, S₁₀, S₁₂}, P₁₁ = {S₉, S₁₁, S₁₂}, P₁₂ = {S₁₀, S₁₁, S₁₂}.

Every department has 4 shadows. Any 2 departments together can only have 8 different shares, which are still less than t_artificial = 9. Therefore, the secret can be revealed only when participants come from all 3 departments.

In case the departments have more members, t_artificial and n_artificial can be increased to overcome the problem. For example, if the number of people in every department increases from 4 to 5, where DEP_L = {P₁, P₂, P₃, P₄, P₅}, DEP_M = {P₆, P₇, P₈, P₉, P₁₀}, and DEP_H = {P₁₁, P₁₂, P₁₃, P₁₄, P₁₅}, we can simply increase t_artificial and n_artificial, for example, 12 and 15, respectively. The method for creating shadows in this case is detailed as follows:

Step 1: Use (t_artificial, n_artificial) = (12, 15) in traditional sharing to share the secret and obtain n_artificial = 15 shares {S₁,…, S₁₅}, where any t_artificial = 12 of the shares can be used to recover the secret.

Step 2: Because there are 3 departments, we partition these 15 shares into 3 equal parts of 5 shares each. Next, assign shares S₁–S₅ to DEP_L, S₆–S₁₀ to DEP_M, and S₁₁–S₁₅ to DEP_H.

Step 3: Every department can use its 5 shares to create $C_3^4$ = 5 possible combinations of 4 shares each. Distribute these 5 combinations to the 5 people in the department. For example,

DEP_L: P₁ = {S₂, S₃, S₄, S₅}, P₂ = {S₁, S₃, S₄, S₅}, P₃ = {S₁, S₂, S₄, S₅}, P₄ = {S₁, S₂, S₃, S₅}, P₅ = {S₁, S₂, S₃, S₄}.

DEP_M: P₆ = {S₇, S₈, S₉, S₁₀}, P₇ = {S₆, S₈, S₉, S₁₀}, P₈ = {S₆, S₇, S₉, S₁₀}, P₉ = {S₆, S₇, S₈, S₁₀},

P₁₀ = {S₆, S₇, S₈, S₉}.

DEP_H: Use S₁₁–S₁₅ to create likewise.

Every department has 5 shadows, and any 2 departments together can only have 5 + 5 = 10 different shares, which are still less than t_artificial = 12 shares. Therefore, the secret can only be revealed when all 3 departments have attendees because at least 4 × 3 = t_artificial = 12 different shares are present.

5. Practical Applications and Implementation Results

Practical application examples of the forbidden-type sharing include the concealment of sensitive information in medical or military images or legal documents. For instance, for a given X-ray image, the corresponding patient’s name, age, gender, and medical history are very sensitive and must be protected if this information is to be attached to the image for the convenience use of hospital’s treatment team. To avoid being charged by the patient, no doctor of the treatment team should be allowed to see any personally identifiable information of the patient (except the X-ray image), unless sufficient number of the members of the treatment team agree to simultaneously unveil the hidden information in the treatment meeting.

Figure 4 gives an example of this kind of application. Figure 4a is the original 512 × 1024 lung X-ray and medical chart image of a patient. We may use (t_participants, n_participants) = (2, 4) sharing to share the image among 4 doctors {D₁–D₄}. The left half (the X-ray image) can be viewed by the cooperation of any two doctors. However, for the right half of the image, due to the sensitivity of the medical history, and also due to the fact that doctors D₁ and D₂ are brothers, we may particularly forbid the disclosure of the medical history if only these two brothers attend the disclosure meeting. Therefore, the left half image is shared using traditional sharing without any forbidding, i.e., (t_participants, n_participants, f) = (t_artificial, n_artificial, f) = (2, 4, 0). However, the right half image is shared using (t_participants, n_participants, f) = (2, 4, 1) with only one forbidden combination, namely {D₁, D₂}. Figure 4b,c show the disclosed image obtained by doctors {D₁, D₃} and {D₂, D₄}, respectively. Both Figure 4b,c are identical to Figure 4a. However, if {D₁, D₂} try to disclose the image, they only get Figure 4d.

In the above, the experiment is designed as follows. Split the original 512 × 1024 image in Figure 4a to two 512 × 512 images: one is the lung image, and the other is the medical history image. To show the mixed use of the two approaches, the lung image and the medical history image are shared using distinct approaches. The 512 × 512 lung image is shared using linear-equations approach with (t_participants, n_participants, f) = (2, 4, 0). To achieve this, we need a 2-by-4 matrixA such that each row has 2 elements, and any 2 of the 4 rows are independent. There are infinitely many ways to design this matrix. One such way is to let Row_i = (I, i+1) for I = 1, …, 4. Then, for each two-pixels pair of the X-ray image, let doctor D_istore an integer IP_i which is the inner product value of Row_i and a 2-dimensional vector formed of the two pixel values. Therefore, for the 512 × 512 X-ray image, each doctor will store 512 × 512/2 = 512 × 256 integers.

On the other hand, the right half of Figure 4a, i.e., the 512 × 512 medical history image, is shared using polynomial approach with (t_participants, n_participants, f) = (2, 4, 1). To achieve this, we use (t_artificial, n_artificial) = (4, 7) in traditional polynomial-based sharing to share the 512 × 512 medical history image and obtain n_artificial = 7 shares {S₁,…, S₇} such that any t_artificial = 4 of them can recover the medical history. Then we distribute these 7 shares to the 4 doctors. The distribution is that D₁ gets {S₁, S₂}, D₂ gets {S₂, S₃}, D₃ gets {S₄, S₅}, D₄ gets {S₆, S₇}. Note that we deliberately let the share S₂ appear in both D₁ and D₂. By doing this, the total number of different shares in the combination {D₁, D₂} is only 2 + 1 = 3, which is less than the threshold value 4, meaning that the medical history cannot be revealed. Conversely, any other combination {D_i, D_j} yields 4 distinct shares, and hence, can reveal the medical history. Notably, for the 512 × 512 medical history image, every doctor holds a record which is constituted by 2 shares; and each share is 4 times smaller in size than the original 512 × 512 medical history image in the (4, 7) threshold scheme. Therefore, the medical history data held by each doctor has 512 × 256 bytes which is 2×(1/4) = ½ of the size of the 512 × 512 medical history image. Now, combining the two results, we can see that each doctor holds 512 × 512/2 = 512 × 256 integers for the X-ray image and also holds 512×256 bytes for the medical history image. Since each integer is an inner product value of a 2-element row and a vector formed of two pixel values, the integer is between 0 and 2295 = (4 × 255) + (5 × 255) where 255 is the largest possible gray value, and 5 is the largest element of the matrix A whose Row_i = (I, i+1) for I = 1,…, 4. Hence, each integer needs ⌈(log 2,296)/(log 2)⌉ = 12 bits, or equivalently, 12/8 bytes. Hence each doctor holds 512 × 256 × (12/8 + 1) = 512 × 256 × (5/2) bytes as his shadow data. Therefore, each shadow size is (512 × 1024)/(512 × 256 × 2.5) = 1.6 times smaller than the size of the image of Figure 4a.

For military, the image in Figure 4a can be replaced by a military image such as Figure 5, and then shared likewise so that certain combination of participants are forbidden to view the dynamics data shown in the right half of Figure 5.

The above are the practical applications of the sharing with forbidden combinations. Below we discuss the practical applications of the sharing with cross-department support. In some events, quite often there are several departments involved in the same events simultaneously. For example, after a terrorist attack in a city, many departments of the government will repeatedly check the same encrypted items such as the photos of the suspects, the weapons being used, or the protection program of the eyewitness. In this case, the national security department, the provincial police department, and the city police department form the three departments {DEP_H, DEP_M, DEP_L} mentioned in Section 3. Let each participant (security agent or policeman) belong to one of the three departments. Without loss of generality, assume the parameter pair (t = threshold, n = number of people in this department) for the three departments are, respectively, (t_H = 3, n_H = 4) for DEP_H, (t_M = 5, n_M = 6) for DEP_M, and (t_L = 7, n_L = 7) for DEP_L. For the 4 officers in department DEP_H, any 3 of them can recover Figure 6. For the 6 officers in department DEP_M, any 5 of them can recover Figure 6. For the 7 officers in department DEP_L, all 7 of them must gather together in order to recover Figure 6. However, due to illness, road accident, or business trips abroad, not every officer of the same department comes to the office every day. It is thus quite possible that on some working days, the department has insufficient personnel to unveil the secret. For the government to still function, our cross-department support system can help us to unveil Figure 6 through the cooperation of multiple departments.

Using the design in Section 3.1, we did the experiments and found that the image in Figure 6 could be really unveiled as described in Table 2, either within-department or cross-department.

The other application example is for the mobile-phone/automobile/airplane/ship factories or any company using blueprint to build machine or product (see Figure 7). We can treat the blueprint as a secret image. Then the blueprint is shared among the engineers of the production department. It is also shared among the managers of the administration departments, or among the co-owners of the company. Hence, the cross-department support system is also helpful for the same reasons mentioned in the last paragraph.

6. Conclusions

In this paper, two types of secret image sharing, which are extensions of traditional image sharing, are proposed. Type 1 is the forbidden type, and Type 2 is the cross-department support type. Both the polynomial approach and linear-equations approach can be applied for each type. By using the concept of redundant shares when assigning traditional shares to participants, and by mapping between the polynomial approach and linear-equations approach, the two proposed designs to achieve the requirement of the two types are obtained. Notably, hacking becomes more difficult if both approaches are used in the same image. Furthermore, as stated in Remark 3 of Section 3, the value of the threshold t_artificial can be randomly chosen; hence, we may also use a predetermined sequence of multiple thresholds such as t_artificial = 14, 7, 11, 20, 43, 31, … to share the same secret in order to confuse hackers. Hacking becomes difficult because of this multiplicity of possible combinations.

We now compare between approaches and types. First, because Type 1 systems are designed on a case-by-case basis, systems of the forbidden type are harder to design than those of the cross-department support type. Second, the linear-equations approach is harder to apply than the polynomial approach is; although we have Algorithm 2, which is a general procedure to obtain the corresponding instance of the linear-equations approach from an instance of the polynomial approach. This is because Step 1 of Algorithm 2 implies the need to create an n_artificial-by-t_artificial matrix in the conversion to the linear-equations approach, where t_artificial of the n_artificial rows are linearly independent. This makes the linear-equations approach slightly harder to apply, but such nontrivial complexity also makes systems designed using the linear-equations approach more difficult to hack. As for storage, if the n_artificial-by-t_artificial matrix A needs to be stored, then the required storage space of each participant in the linear-equations approach is approximately t_artificial times larger than the corresponding space in the polynomial approach. However, if this matrix A can be automatically generated by an algorithm or a preassigned method, then matrix A does not need to be stored, making the storage space of the two approaches approximately equal; we analyze this claim as follows.

Each participant i in the linear-equations approach needs to store a value IP_i, which is the inner product of a row of A and a vector of t_artificial pixel values, that is, IP_i = (Row_i) ∙ (D_secret). Because (Row_i) has t_artificial elements and D_secret also has t_artificial pixel values, notice that the inner product value cannot exceed t_artificial × (Max A) × 256—where (Max A) is the maximal value of the elements of matrix A, 256 is the pixel value range, and t_artificial has its value because each inner product is the sum of t_artificial integers in which each integer is less than (Max A) × 256. To share a vector constituted by t_artificial pixels, each participant for whom the polynomial approach is used stores a byte, but each participant in the linear-equations approach stores approximately log₂₅₆[t_artificial × (Max A) × 256] = 1 + log₂₅₆(Max A) + log₂₅₆(t_artificial) bytes. Notably, 1 + log₂₅₆(Max A) + log₂₅₆(t_artificial) ≤ 1 + 1 + 1 = 3 if the maximal absolute value of elements of matrix Ais < 256 and t_artificial ≤ 256. If Max A becomes 65,535, the size amplification factor between the two approaches is still only 1 + 2 + 1 = 4. In the preceding analysis, if A contains negative elements, then replace Max A by the maximal absolute value of the elements of A. In summary, the use of the linear-equations approach (either singly or in conjunction with the polynomial approach, as described in Section 4.2) is meant to increase security against hackers, not decrease the complexity of the user’s work.

Third, we analyze the use of the LCM for t_artificial for all department thresholds in the cross-department support type, specifically regarding why the LCM yields greater economy in storage space relative to other candidate values. The shadow file size of each participant in the three departments are, respectively, ⌈t_artificial/t_H⌉/t_artificial = (LCM/t_H)/LCM = 1/t_H, ⌈t_artificial/t_M⌉/t_artificial = (LCM/t_M)/LCM = 1/t_M, and ⌈t_artificial/t_L⌉/t_artificial = (LCM/t_L)/LCM = 1/t_L of the size of the original secret. To understand why, note that each share is 1/t_artificial smaller than the original secret is when we use t_artificial as the threshold in traditional sharing to create shares, and also that each DEP_x participant uses ⌈t_artificial/t_x⌉ shares to create their shadow, where x is the department. However, if t_artificial ≠ LCM, then t_artificial/t_H or t_artificial/t_M or t_artificial/t_L can be non-integers, which implies the possibility of ⌈t_artificial/t_H⌉/t_artificial > 1/t_H or ⌈t_artificial/t_M⌉/t_artificial > 1/t_M or ⌈t_artificial/t_L⌉/t_artificial > 1/t_L. If the preceding “>” relation holds for some departments, then the shadow files in those departments are larger than the shadow files created by using t_artificial = LCM. However, although the LCM yields a more economical shadow size, the LCM’s disadvantage is that because n_artificial shares must be created, and n_artificial > t_artificial, n_artificial may be too large if t_artificial is very large. In fact, in the linear-equations approach, since we need to create a n_artificial-by-t_artificial matrix where any t_artificial of the n_artificial rows are independent; such independence becomes harder to achieve for increasing values of t_artificial.

Fourth, cross-department-supported sharing is different from progressive sharing [7,8,19]. In progressive sharing, the unveiling of the secret decreases in error to finally become error free. In cross-department-supported sharing, the unveiling of the secret is either error free or completely nothing (100% vs. 0%). In words, the secret disclosure of progressive sharing crosses several resolutions of image quality, whereas the secret disclosure of the cross-department support type crosses participants from several departments.