Reversible extended secret image sharing with ability to correct errors based on Chinese remainder theorem

Abstract

The reversible extended secret image sharing (RESIS) scheme can safely segment the secret image into a shadow image and embed it into the cover image, while ensuring that both the secret image and the cover image are completely restored. The existing schemes do not consider the attack on the information transmission channel, and often cannot correctly recover the secret image when attacked. In view of this, this paper fully considers the active attack on the information channel, and then proposes a RESIS scheme with error correction capability. In this paper, the Reed-Solomon code is used to detect modification attacks and correct errors to a certain extent. Additionally, the lossless recovery effect of both the secret image and the cover image is accomplished in conjunction with secret sharing scheme based on the Chinese remainder theorem. According to experimental findings, this method can resist certain active attacks.

1. Introduction

Secret sharing is a technology of dividing secrets, whose aim is to prevent secrets from being too concentrated. This technology is important in information security and data confidentiality, which plays a key role in the safe preservation, transmission, and legal utilization of important information and secret data. It is also the theoretical basis of image secret sharing technology.

The concept of secret sharing (SS) scheme is proposed by Shamir [1] and Blakley [2] in 1979. In the $\left(t,n\right)$ threshold SS scheme, the secret distributor decomposes the secret $s$ into $n$ sub-secrets $s_i\left(1<i\ll n\right)$. The secret $s$ can be recovered only if the combination of any $t\left(1<t\ll n\right)$ sub-secrets is satisfied. If there are fewer than $t$ sub-secrets, no information of secret $s$ can be obtained. Using the threshold SS scheme to keep secret $s$ has the following advantages. Firstly, the attacker cannot recover secret $s$ even if he can get up to $t-1$ secret shares. Secondly, even if up to $n-t$ shares are destroyed for some reason, the secret $s$ can be recovered. Thirdly, keeping secrets $s$ in a decentralized manner helps to avoid the abuse of rights caused by excessive concentration of rights. In 1983, Asmuth and Bloom [3] proposed a $\left(t,n\right)$-threshold SS scheme based on Chinese remainder theorem (CRT) [4], which is a theorem giving a unique solution to simultaneous linear congruences with coprime moduli, and has applications in many fields, such as computing, cryptography, and coding theory. In the field of image security protection, CRT can be used for image encryption [5] and secret image sharing (SIS). Since it is difficult for Asmuth and Bloom's SS scheme to select a set of appropriate modulus, Ning [6] extended the CRT-based SS scheme on integer ring to polynomial ring. After that, Wu [7] presented a straightforward formulation of an ideal $\left(t,n\right)$-threshold SS system based on CRT in 2022.

SIS scheme expands the secret scheme to the image, so as to ensure that the image will not be stolen or maliciously damaged in the transmission process. In 1994, Naor and Shamir [8] first proposed the idea of SIS, which is similar to the SS scheme, except that the secret value is replaced by a secret image. The secret image is divided into $n$ pieces, each of which is called a shadow image. Moreover, more than $t\left(t<n\right)$ shadow images can be combined to recover $s$, but less than $t$ cannot. Because this technology has the characteristics of concealment, security, and simplicity of secret recovery, the secret image sharing scheme has been widely used in many aspects. On the basis of Shamir's SS technique, Thien and Lin [9] designed a SIS in 2002. Since then, many works of literature [10,11] have constructed SIS schemes based on Shamir SS schemes. However, in the sharing scheme for 256 level gray images, these schemes have to select the number of modulo prime 251 (the maximum prime number less than 256). To realize the sharing of all pixels, the gray value of pixels greater than 250 must be converted to 250. Thus, they must change the original image, then the image quality is lost. To solve this problem, the CRT-based secret sharing scheme is used to construct a secret image sharing scheme [[12], [13], [14], [15], [16], [17]].

In the SIS scheme, the shadow image generated by dividing the secret image looks like a garbled image, not a normal image. And then these shadow images are easy to attract the attention of attackers when transmitted on the network. With the idea of information hiding, the extended secret image sharing (ESIS) [18,19] is proposed to add a cover image embedded by each shadow image, and finally form multiple stepo images, which are generated and distributed to shareholders. Because of the use of information hiding technology, the stego image looks no different from ordinary pictures visually, so it is easier to hide the transmitted information.

However, in some special situation, it is necessary to restore both the secret picture and the cover image. For illustration, the cover image is chosen to be a QR (Quick Response) Code. The carrier QR code contains the share created in accordance with the secret image, which may be retrieved and read normally to access the share's original public information. A reversible extended secret image sharing (RESIS) approach was put up by Lin [20] in 2009, where the secret image is embedded into the cover image through using modulus operator. A cheater in the partnership can be found using the Rabin's signature cryptosystem [21]. In this technique, in addition to shadow images, extra identification and authentication information is being conveyed from a sender to shareholders. In 2010, Lin [22] proposed another RESIS scheme based on Shamir $\left(t,n\right)$-threshold sharing approach, but it has an overflow problem. In 2013, Ulutas [23] introduced a RESIS with a greater stego image quality, where images are hidden and recovered using the modification direction approach and modulus operator. To provide information hiding and authentication simultaneously, Wu [24] suggested a RESIS approach for compressed images in 2019, where parity bits are built and disguised inside stego images. Meng [25] suggested a RESIS in 2021 that is based on Ning's CRT-based SS scheme and employs an 8th-order polynomial to represent pixels and carry out CRT operations. Since there are only 30 coprime polynomials to the 8th power, the maximum $n$ of this scheme is 30.

The above schemes focus on secret sharing and recovery, and only consider participant deception detection in terms of security. Stego images transmitted in the open channel are facing various attacks, including not only passive attacks such as monitoring and interception, but also active attacks such as modification.

To solve the active attack problem in the transmission process, this paper proposes a RESIS scheme with error correction capability by combining Reed-Solomon Codes [26] and CRT based secret sharing scheme. Reed-Solomon is the most well-known class of correcting codes, which has been used to a variety of data transmission and storage applications.

The contribution of this paper is given as follows.

• •A RESIS scheme is provided that allows for the lossless recovery of both the secret image and the cover image.
• •Using Reed Solomon code [26], the scheme can not only detect modification attacks, but also correct errors to a certain extent.
• •Taking multiple pixels as a polynomial, the scheme breaks through the limit of the number of shareholders to share compared with Ref. [25]. Meanwhile, higher power polynomials will expand the plaintext space and enhance security.

The rest of this paper is organized as follows. The preliminaries are listed in Section II. In Section III, the proposed RESIS is presented in detail. In Section IV, results of the experiment and analysis are provided. Finally, Section V concludes the paper.

2. Preliminaries

2.1. A simple construction of CRT-based ideal SS scheme

The operation of the paper [6] is based on polynomial rings, which can improve efficiency. After that, Wu et al. [7] suggested a straightforward design of the CRT-based ideal SS scheme for the improvement of effectiveness. The scheme includes two phases.

2.1.1. Distribution phase

Step 1

With a secret $s\left(x\right)=a_0+a_{1}x+a_2{x}^2\cdots +a_{d_r-1}{x}^{d_r-1}$, the dealer chooses $n$ polynomials $r_i\left(x\right)\left(i=\mathrm{1,2},\dots ,n\right)$ with degree less than $d_r$, and then produces a polynomial $f\left(x\right)$ of degree $d_f\left(d_f\le t{d}_r-1\right)$. The $f\left(x\right)$ is written as

$$f\left(x\right)=a_0+a_{1}x+\cdots +a_{d_r-1}{x}^{d_r-1}+\cdots +a_{d_f}{x}^{d_f}$$ (1)

where $a_i$ is the element of the Finite Field $F_q$ . And $r_i\left(x\right)$ is public information associated with shareholder $P_i$ for $i=1,2,\dots ,n$.

Step 2

The dealer computes the share $s_i\left(x\right)=f\left(x\right)\mathrm{mod}{r}_i\left(x\right)$, and then distributes shares to shareholder $P_i\text{.}$

2.1.2. Recovery phase

The combiner collects $k$ share $s_i\left(x\right)$, and gets a system of congruent equations:

$$\{\begin{array}{c}f\left(x\right)\equiv s_1\left(x\right)\mathrm{mod}{r}_1\left(x\right)\\ f\left(x\right)\equiv s_2\left(x\right)\mathrm{mod}{r}_2\left(x\right)\\ \cdots \\ f\left(x\right)\equiv s_k\left(x\right)\mathrm{mod}{r}_k\left(x\right)\end{array}$$ (2)

In the case of $d_f\ll t{d}_r-1$, the solution of $f\left(x\right)$ has an only one value, which can be determined:

$$f\left(x\right)=\sum _{i=1}^k{s}_i\left(x\right)M_i\left(x\right)M_i^{\prime }\left(x\right)\mathit{mod}M\left(x\right)$$ (3)

where $M\left(x\right)=\prod _{i=1}^k{r}_i\left(x\right)$, $M_i\left(x\right)=\frac{M\left(x\right)}{r_i\left(x\right)}$ and $M_i\left(x\right)\bullet M_i^{\prime }\left(x\right)\equiv 1\mathrm{mod}{r}_i\left(x\right)$. The secret bit sequence is the first $d_r$ coefficients of polynomial $f\left(x\right)$.

2.2. Least significant bit substitution

Least significant bit (LSB) substitution is often used as an image steganography algorithm. It is a kind of spatial algorithm and embeds the information into the lowest bit of pixel bits in the image points to ensure that the embedded information is invisible.

With a secret bit sequence $b$ and an image $I$, $k$-LSB substitution means that: the low $k$ bits are substituted for each pixel binary of the image $I$ by a group of $b$ that has a length of $k$, replacing each group in turn.

For example, $b{=}^{\prime }0\mathrm{b}{10}^{\prime }$, a pixel value $I_i$ is 180, the binary conversion of $I_i$ is '0b10110100'. If $k=2$, the 2-LSB algorithm replaces the lowest $2$ bits of the binary conversion of $I_i$ with $b$, forming the new binary sequence '0b10110110'. Then the new pixel value is 182.

Due to the small difference between 180 and 182, the human naked eye cannot accurately distinguish, so information hiding can be realized.

2.3. Reed-Solomon Codes

Due to some reasons (such as noise or interference etc.), errors will occur during data transmission or storage. To overcome this problem, the Reed Solomon codes were proposed [26].

Reed Solomon codes include two parts: encoder and decoder. One block of digital data is processed at a time in the encoder, and after that, extra "redundant" bits are added. Each block is handled in the decoder so that mistakes may be fixed and the original data can be retrieved. The Reed Solomon code's nature will determine how many mistakes may be fixed.

Reed-Solomon codes are described as $\mathrm{R}\mathrm{S}\left(s,p\right)$ with $\mathrm{l}$-bit symbols, as is shown in Fig. 1. The block length of the original data is $p$, and then the data is processed by the encoder. The encoder adds $s-p$ extra bits to the data forming $s$ codewords. The decoder can correct $t$-bit errors, which contains $2t=s-p$.

Fig. 1.

Reed-Solomon code RS (s, p).

A typical Reed-Solomon code is $\mathrm{R}\mathrm{S}\left(\mathrm{255,223}\right)$ with 8-bit symbols, where $p=223$, $s=255$, $\mathrm{l}=8$ and $t=16$. It means that each block contains 255 bytes; every time the encoder adds 32 bytes extra data. The decoder has the ability to correct up to 16-byte errors.

3. The proposed scheme

Combining the error correction algorithm of Reed-Solomon Codes and CRT over polynomial ring, we will give a minute description of our new RESIS scheme in this section.

3.1. The model

The model structure of the proposed scheme is shown in Fig. 2. The scheme has two phases: secret image sharing procedure and image retrieving procedure. The secret image sharing procedure includes sharing, encoding, and hiding stages. First, the dealer $D$ shares the secret image into $n$ share pieces with Wu et al. SS scheme. Then, $D$ uses Reed-Solomon code to encode $n$ share pieces into shadow images. Finally, 2-LSB is utilized to hide $n$ share pieces into the cover image, forming $n$ stego images. The image retrieving procedure includes extracting, decoding and recovery. Every shareholder uses 2-LSB to extract the shadow image from the stego image. And then Reed-Solomon code is used to decode shadow images to the share pieces. At last, the combiner represents $k\left(t\le k\le n\right)$ of shareholders recovery the secret image and cover image.

Fig. 2.

The model of our proposed scheme.

3.2. Setting parameters

We first set the parameters for the scheme, including the degree of polynomials, selecting some coprime polynomials and Reed Solomon code parameters.

In scheme [25], all pixels are represented by an 8th power polynomial, which is of course simple and natural. But there are only 30 coprime 8th power polynomials in $F_2\left(x\right)$. In the secret sharing of the Chinese remainder theorem, each user corresponds to a polynomial, then there are only 30 users at most. Our scheme taking multiple pixels as a polynomial will break through the limit of the number of shareholders to share.

Step 1

Define $d_r-\mathrm{d}\mathrm{e}\mathrm{g}\mathrm{r}\mathrm{e}\mathrm{e}$ polynomial $r\left(x\right)=x^{d_r}$, where $d_r$ represents the length of secret share in the CRT-based secret sharing scheme.

Step 2

Choose $\mathrm{n}$ co-prime polynomials $r_i\left(x\right)\in F_2\left[x\right]\left(i=\mathrm{1,2},\dots ,n\right)$, which satisfy: $r_i\left(x\right)$ and $\mathrm{r}\left(x\right)$ are co-prime, where $\mathrm{i}=\mathrm{1,2},\dots ,\mathrm{n}$; deg($r_1\left(x\right)$) = deg($r_2\left(x\right)$) = $\cdots$ = deg($r_n\left(x\right)$) = deg($\mathrm{r}\left(x\right)$) = $d_r$.

Step 3

A Reed-Solomon code is specified as RS($s,p$) with $\mathrm{l}$-bit symbols. Here, $p=d_r$. Depending on conditions such as communication and security requirements, we select appropriate correction parameters.

3.3. Detailed procedures

We describe the implementation details of the scheme, mainly including two parts: secret image sharing procedure and image retrieving procedure.

3.3.1. Secret image sharing procedure

• a)Sharing stage

The secret image is divided into $n$ $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$ owed by user $P_i$. And the dealer D is in charge of sending every share to the corresponding user.

Step 1

Two images are picked by $D$: secret image and cover image, whose size are $W_s\times H_s$ and $W_C\times H_C$.

Step 2

Divide the cover image $C$ into blocks, which contains $2\mathrm{s}$ pixels. After that, a polynomial of degree $\mathrm{s}-1$ is defined as $\mathrm{A}\left(\mathrm{x}\right)=\sum _{\mathrm{i}=1}^{2\mathrm{s}}\left({\mathrm{a}}_{\mathrm{i},1}{\mathrm{x}}^{2\mathrm{i}-2}+{\mathrm{a}}_{\mathrm{i},2}{\mathrm{x}}^{2\mathrm{i}-1}\right)$, where ${\mathrm{a}}_{\mathrm{i},1}$ and ${\mathrm{a}}_{\mathrm{i},2}$ are last bit and the penultimate bit of the binary pixel value ${\mathrm{p}}_{\mathrm{c},\mathrm{j}}$.

Step 3

Pick $\mathrm{m}-1$ pixels ${\mathrm{p}}_{\mathrm{s},1},{\mathrm{p}}_{\mathrm{s},2},\cdots ,{\mathrm{p}}_{\mathrm{s},\mathrm{m}-1}$, where $8\mathrm{m}\ll \mathrm{t}\bullet {\mathrm{d}}_{\mathrm{r}}-\mathrm{s}$. Then a polynomial of degree $8\mathrm{m}-1$ is defined as $\mathrm{B}\left(\mathrm{x}\right)=\sum _{\mathrm{i}=1}^{\mathrm{m}-1}\sum _{\mathrm{j}=1}^8{\mathrm{b}}_{\mathrm{i},\mathrm{j}}{\mathrm{x}}^{8\left(\mathrm{i}-1\right)+\left(\mathrm{j}-1\right)}$, where ${\mathrm{b}}_{\mathrm{i},\mathrm{j}}$ is the $\mathrm{j}$-th binary value of the $\mathrm{i}$-th pixel ${\mathrm{p}}_{\mathrm{s},\mathrm{i}}$.

Step 4

Defines a new joint function:

$$\mathrm{f}\left(\mathrm{x}\right)=\mathrm{A}\left(\mathrm{x}\right)+\mathrm{B}\left(\mathrm{x}\right)\bullet \mathrm{r}\left(\mathrm{x}\right)={\mathrm{a}}_0+\cdots +{\mathrm{a}}_{{\mathrm{d}}_{\mathrm{r}}-1}{\mathrm{x}}^{{\mathrm{d}}_{\mathrm{r}}-1}+\cdots +{\mathrm{a}}_{\mathrm{s}}{\mathrm{x}}^{\mathrm{s}}+\cdots +{\mathrm{a}}_{{\mathrm{d}}_{\mathrm{f}}}{\mathrm{x}}^{{\mathrm{d}}_{\mathrm{f}}}$$ (4)

where $a_i\in F_2$.

Step 5

Generate a polynomial $s_i\left(x\right)$ for shareholder $\left\{P_i|\mathrm{i}=\mathrm{1,2},\cdots n\right\}$, and the polynomial $s_{sh,i}\left(x\right)=\mathrm{f}\left(x\right)\mathrm{mod}{r}_i\left(x\right)$.

Step 6

Get the coefficients of polynomial $s_{sh,i}\left(x\right)$ to form a bit sequence $s_{sh,\mathrm{i}}$ with length $d_r$. The degree of $s_{sh,\mathrm{i}}$ is less than or equal to $d_r$.

Step 7

Repeat step 2–6 to generating bit sequence until the secret image is converted into shares for all users. The dealer $\mathrm{D}$ aggregates all $s_{sh,i}$ to form the secret share $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$ owed by user $P_i$.

• b)Encoding stage

To obtain the error correction ability, the dealer $\mathrm{D}$ does not directly embed the secret share in the cover image to obtain the shadow image. In this paper, these secret shares are encoded by Reed-Solomon code to form error correction codes to resist tampering attacks or transmission errors. Then the encoded image is embedded in the cover image.

The dealer $\mathrm{D}$ uses Reed-Solomon code to convert the secret share $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$ into code words.

Step 1

The dealer $\mathrm{D}$ divides the secret share $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$ into blocks with a length of $p$ bytes. The unit of block here is byte, because Reed-Solomon code is usually in bytes.

Step 2

Utilize Reed-Solomon code to convert the block with length $p$ into a codeword block with length $s$.

Step 3

Continue to perform Step 2 till all blocks are encoded completely.

• c)Hiding stage

The stego image $\mathrm{S}{T}_i$ is created through embedding code words into the cover image $\mathrm{C}$ with 2-LSB. The hiding stage has 5 steps:

Step 1

Select a byte $p_{i,j}$ from $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$, and chooses four pixels values $p_{c,1}\text{,}$ $p_{c,2},p_{c,3},p_{c,4}$ from cover image $\mathrm{C}$ respectively.

Step 2

$p_{i,j}$ is converted into binary values $\mathrm{b}\mathrm{i}\mathrm{n}\left(p_{i,j}\right)=$ {$b_1{b}_2{b}_3{b}_4{b}_5{b}_6{b}_7{b}_8$} and divided into four groups, each containing two binary bits {$b_1{b}_2,b_3{b}_4,b_5{b}_6,b_7{b}_8$}.

Step 3

Convert {$p_{c,1},p_{c,2},p_{c,3},p_{c,4}$} into binary values and replace the last two bits with {b₁b₂}, {b₃b₄} {b₅b₆} {b₇b₈}. And then the replaced 4 binary sequences are converted to decimal {$p_{st,1},p_{st,2},p_{st,3},p_{st,4}$}.

Step 4

Repeat steps 1–3 until the share $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$ is totally embedded into the cover image $C$. Then the stego image $\mathrm{S}{T}_i$ is formed for user $P_i$.

Step 5

Repeat step 1–4 for other users until $n$ stego images $\mathrm{S}{T}_i\left(i=\mathrm{1,2,3},\cdots ,n\right)$ are computed. The dealer $\mathrm{D}$ sends all $\mathrm{S}{T}_i$ to the corresponding user $P_i$.

3.3.2. Image retrieving procedure

This section gives a description of the proposed secret image retrieval procedure. Assuming there are $n$ shareholders $P_1,P_2,\cdots ,P_n$, it is possible for $\mathrm{k}\left(t\le k\le n\right)$ of them to cooperate in order to get these two lossless images.

• a)Extracting stage

With a stego image $\mathrm{S}{T}_i\left(i=\mathrm{1,2},\cdots ,k\right)$ as input, the corresponding shareholders $P_i$ exact the hidden information using the 2-LSB algorithm.

Step 1

Divide the stego image $\mathrm{S}{T}_i$ into blocks including 4 pixels, such as $P_{st,1},P_{st,2},P_{st,3},P_{st,4}$.

Step 2

Convert the 4 pixels into binary sequence with length 8 bits. We mark the converted value bits as $\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,1}\right),\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,2}\right),\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,3}\right),\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,4}\right)$.

Step 3

Take out the last two bits of 4 pixels $\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,1}\right),\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,2}\right),\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,3}\right),\mathrm{b}\mathrm{i}\mathrm{n}\left(P_{st,4}\right)$, and combine them to form an 8-bit binary sequence, and convert the value into decimal.

Step 4

Repeat the above Step 1–3 until all the hidden information is extracted.

After the above steps are completed, a shareholder $P_i$ extracts its hidden information $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$. Other $k-1$ shareholders perform the same operations and gets all the secret share.

• b)Decoding stage

The shareholder $P_i$ utilizes Reed-Solomon code to decode the code words and obtains the secret share $shar{e}_i$.

Step 1

The shareholder $P_i$ divides the code words into blocks with a length of $s$ bytes.

Step 2

With the Reed-Solomon code, shareholder $P_i$ extracts valid information while correcting errors, and then obtains the blocks with length $p$.

Step 3

Repeat step 2 until the decoding is finished, and then the shareholder finally aggregates the decoded parts to obtain the secret share $shar{e}_i$.

• c)Recovery stage

Step 1

The shareholder $P_i$ convert $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$ to a binary sequence.

Step 2

Divide the binary sequence into blocks with length $d_r$, and then recovers the polynomial $s_{sh,i}\left(x\right)$.

Step 3

Other shareholders repeat Step 1–2, and obtains their own polynomial $s_{sh,j}\left(x\right)\left(j!=i\right)$.

Step 4

After collecting $k$ polynomials, the combiner reconstructs the secret polynomial by computing

$$f\left(x\right)=\sum _{i=1}^k{s}_{sh,i}\left(x\right)M_i\left(x\right)M_i^{\prime }\left(x\right)\mathit{mod}M\left(x\right)$$ (5)

where $M\left(x\right)=\prod _{i=1}^k{r}_i\left(x\right)$, $M_i\left(x\right)=\frac{M\left(x\right)}{r_i\left(x\right)}$ and $M_i\left(x\right)M_i^{\prime }\left(x\right)\equiv 1\mathrm{mod}{r}_i\left(x\right)$.

Step 5

With the polynomial $f\left(x\right)$, $A\left(x\right)$ is the first 4 $\mathrm{s}$ terms, and $\mathrm{B}\left(x\right)$ is the residual terms module $r\left(x\right)$.

Step 6

Continue to perform steps 2–5, and then aggregate the obtained A (x) and B (x) to get the secret image and cover image.

4. Experiment and analysis

We demonstrate the effectiveness of the proposed RESIS scheme in this section. Then, a comparison to different related RESIS scheme is provided. Finally, we demonstrate the examination of security and accuracy.

4.1. Experiment

We select Lenna(128 $\times$ 128) as the secret image and Peppers (512$\times$ 512) as the cover image, and they are shown in Fig. 3. Set $n$ to 4 and $t$ to 3, which means that there are 4 shareholders and the threshold value is 3. Four co-prime polynomials with degree 223 for shareholders are chosen randomly. The Reed-Solomon code is set to be RS($\mathrm{255,223}$).

Fig. 3.

Secret image and Cover image.

With the proposed scheme, the secret image Lenna is shared and hidden in the cover image Peppers, and then forming 4 stego images, which are depicted in Fig. 4. Naturally, we cannot visually discriminate between these stego images and the cove image.

Fig. 4.

Stego images and Recovered images.

The peak signal-to-noise ratio (PSNR), mean square error (MSE), and structure similarity index method (SSIM) of stego images and recovered images are displayed in Table 1.

Table 1.

PSNR, MSE and SSIM of stego images and recovered images.

Images	PSNR	MSE	SSIM
Stego image 1, cover image	50.2138	0.6190	0.9956
Stego image 2, cover image	50.1702	0.6253	0.9955
Stego image 3, cover image	50.1893	0.6225	0.9955
Stego image 4, cover image	50.1803	0.6238	0.9956
Recovered cover image, cover image	$\infty$	0	1
Recovered secret image, secret image	$\infty$	0	1

The PSNR is defined as:

$$PSNR=10\times {\log }_{10}\left({\left(2^k-1\right)}^2/MSE\right)$$ (6)

where $k=8$.

The MSE is defined by:

$$MSE=\frac{1}{m}\sum _{i=1}^m{\left(p_i-q_i\right)}^2$$ (7)

where $p_i$ and $q_i$ represent the pixel value of two images $p$ and $q$ with $m$ pixels.

Loss of correlation, luminance distortion, and contrast distortion are the three elements that make up the design of the SSIM. The formula for calculating the SSIM is:

$$SSIM\left(p,q\right)=l\left(p,q\right)c\left(p,q\right)s\left(p,q\right)$$ (8)

where $\left(p,q\right)=\frac{2{\mu }_p{\mu }_q+C_1}{{\mu }_p^2+{\mu }_q^2+C_1},c\left(p,q\right)=\frac{2{\sigma }_p{\sigma }_q+C_2}{{\sigma }_p^2+{\sigma }_q^2+C_2},s\left(p,q\right)=$ $\frac{{\sigma }_{pq}+C_3}{{\sigma }_{pq}+C_3}$. Here, ${\mu }_p$ and ${\mu }_q$ are the mean values of image $p$ and image $q$ respectively; ${\sigma }_{pq}$ is the covariance of $p$ and $q$; $C_1$, $C_2$ and $C_3$ are positive constants used to prevent a null denominator.

The PSNR value and MSE between the stego image and the cover image are around 50.18 and 0.62, respectively, indicating that the stego image has been altered and exhibits some distortion when compared to the cover image. While the SSIM between the stego image and the cover image is around 0.995, this clearly shows that the brightness, contrast, and structure of the stego image and the cover image are highly comparable. Between the recovered image and the original image, there is a PSNR, MSE, and SSIM of $\infty$, 0 and 1. This indicates that the secret image and the recovered image are identical and that there was no loss during the recovery.

4.2. Least significant bit flipping attack

Flipping the least significant bit (LSB) of a pixel value in an image is referred to as an LSB flipping attack. The restoration of the secret image may be impacted by the modification, even how little it is.

In the experiment in subsection A, we target the stego pictures and change the LSB of a specific subset of pixels in each stego image. The range of the number is 0–4000. Fig. 5 shows that if the secret picture is changed within 1500 pixels, it may be fully recovered. There will be more changed pixels, which means some pixels won't be recovered. For the purpose of evaluating the quality of the recovered pictures using the SSIM metric, various numbers of LSB flipping attacks are applied to the shadow images in Fig. 6.

Fig. 5.

Recovered images with different number of pixels modifiability in every stego image.

Fig. 6.

SSIM values with different numbers of pixels attacked by LSB flipping.

According to the above experiment results, our proposed RESIS offers certain error correcting capabilities in resisting LSB flipping attack.

4.3. Comparing with other works

We evaluate the performance of our RESIS scheme in comparison to other related schemes proposed by Lin [16], Lin [18], Ulutas [19], and Meng [21] in seven different categories: error correction, meaningful stego image, lossless secret image, lossless cover image, most-capable pixels, sharing procedure cost, and recovery procedure cost.

Table 2 contains findings of comparation analysis. Only our proposed could correct errors. Schemes of Lin [16] and Lin [18] are constructed based on Shamir SS, and select 251 as the number of modulo prime. Unless additional processing is required, all pixels larger than 251 will not be effectively restored. Both Meng [21] scheme and our scheme are based on CRT polynomial ring, and thus it can recover all pixels naturally without other operations. Compared with Meng [21] scheme, out scheme uses Reed-Solomon Codes to get the ability to defend against modification attacks, thus its maximum capacity pixels $\frac{\left(t-1\right)\times W_C\times W_H\times p}{4\times s}$ is lower.

Table 2.

Comparing with other related schemes.

Functionality	Lin [16]	Lin [18]	Ulutas [19]	Meng [21]	Our Scheme
Error correction	N	N	N	N	Y
Meaningful stego image	Y	Y	Y	Y	Y
Lossless secret image	Y	N	Y	Y	Y
Lossless cover image	Y	Y	Y	Y	Y
Most-capable pixels	$\frac{\left(t-3\right)\times W_C\times W_H}{3}$	$\frac{\left(t-1\right)\times W_C\times W_H}{\lceil \mathrm{l}\mathrm{o}{\mathrm{g}}_{m}255\rceil }$	$\frac{\left(t-2\right)\times W_C\times W_H}{4}$	$\frac{\left(t-1\right)\times W_C\times W_H}{4}$	$\frac{\left(t-1\right)\times W_C\times W_H\times p}{4\times s}$
Sharing procedure cost	Ο$\left(t\right)$	Ο$\left(t\right)$	Ο$\left(t\right)$	Ο$\left(1\right)$	Ο$\left(1\right)$
Recovery procedure cost	Ο$\left(t\mathrm{l}{\mathrm{g}}^{2}t\right)$	Ο$\left(t\mathrm{l}{\mathrm{g}}^{2}t\right)$	Ο$\left(t\mathrm{l}{\mathrm{g}}^{2}t\right)$	Ο$\left(t\right)$	Ο$\left(t\right)$

4.4. Analysis

We shall assess the proposed scheme's accuracy and security. That is $t$ or more shareholders can reconstruct the secret image and cover image while $t-1$ or fewer cannot.

• 1)Theorem of correctness. Any t or more stego images can be employed to retrieve the secret image and cover image.

Proof. Suppose that $\mathrm{k}\left(k\ge t\right)$ shareholders have their shares $\mathrm{S}{T}_i\left(i=\mathrm{1,2},\cdots ,k\right)$. With the 2-LSB algorithm, the shareholder exacts the hidden information. Then the Reed-Solomon code is used to decode the hidden information and obtains the secret share $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$. The shareholder $P_i$ convert $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}{e}_i$ to a binary sequence and divide it into blocks with length $d_r$, so that the polynomial $s_{sh,i}\left(x\right)$ is obtained.

After $k$ shareholders have gotten their polynomials, the combiner has a system of congruent equations, which is shown as follow:

$$\{\begin{array}{c}f\left(x\right)=s_{sh,1}\left(x\right)\mathit{mod}{r}_1\left(x\right)\\ f\left(x\right)=s_{sh,2}\left(x\right)\mathit{mod}{r}_2\left(x\right)\\ \cdots \\ f\left(x\right)=s_{sh,k}\left(x\right)\mathit{mod}{r}_k\left(x\right)\end{array}$$ (9)

According to CRT, $f\left(x\right)$ can be computed. Beside $f\left(x\right)=A\left(x\right)+B\left(x\right)\bullet r\left(x\right)$, we can obtain $A\left(x\right)$ and $B\left(x\right)$. Repeat this process continuously, and the combiner gets all $A\left(x\right)$.With all $A\left(x\right)$ and a stego image, the combiner can recover the cover image using the 2-LSB algorithm. With all the polynomials $B\left(x\right)$, the secret image can be recovered.

• 2)Theorem of security. No more than $t$ stego images can be used to retrieve either the secret image or the cover image.

Proof. Suppose that $\mathrm{k}\left(k<t\right)$ shareholders have their shares $\mathrm{S}{T}_i\left(i=\mathrm{1,2},\cdots ,k\right)$. Perform steps similar to Theorem 1, the combiner can also obtain a system of congruent equation as follow:

$$\{\begin{array}{c}f\left(x\right)=s_{sh,1}\left(x\right)\mathit{mod}{r}_1\left(x\right)\\ f\left(x\right)=s_{sh,2}\left(x\right)\mathit{mod}{r}_2\left(x\right)\\ \cdots \\ f\left(x\right)=s_{sh,k}\left(x\right)\mathit{mod}{r}_k\left(x\right)\end{array}$$ (10)

Because $\sum _{i=1}^k\mathit{deg}\left(r_i\left(x\right)\right)=8\bullet d_r<8t$, the combiner cannot recovery only one polynomial based CRT. Thus, it is impossible to perform the recovery of the cover image and secret image.

5. Conclusions

In this study, an error-correcting RESIS system is put forward. To build the RESIS, we used the Reed-Solomon Code and SS scheme based on CRT. The Reed-Solomon Code is used to correct errors. Moreover, taking multiple pixels as a polynomial, our scheme can break through the number limit of shareholders. The security of information transmission is improved by these processes.

The previous RESIS schemes tend to attach more attention to secret image sharing. Some of them consider the authentication ability of SIS, trying to find out whether the stego image has been modified, but lack the consideration of error correction. Our proposed scheme has the capacity to repair errors, which will increase its resistance to active attacks. In other words, the technique can automatically retrieve some of the material that has been modified in addition to determining if the stego image has been altered.

However, some problems need to be solved in the practical application of this paper. The error correction capability needs to be further improved. At the same time, a high polynomial degree used in the proposed RESIS scheme also brings high computation, which needs to be balanced with security requirements.

Author contribution statement

Chaoying Wang; Zhibiao Liang: Conceived and designed the experiments; Performed the experiments; Analyzed and interpreted the data; Contributed reagents, materials, analysis tools or data; Wrote the paper.

Yong Peng: Performed the experiments; Analyzed and interpreted the data.

Yu Wang: Contributed reagents, materials, analysis tools or data.

Gang Ke: Conceived and designed the experiments.

Zhiping Jin: Analyzed and interpreted the data; Contributed reagents, materials, analysis tools or data.

Funding statement

Chaoying Wang was supported by the Key Special Projects of Guangdong Education Department [ZDZX1119], the special project of intelligent terminal and intelligent manufacturing of Dongguan vocational and technical college in 2021 [ZXF014].

Gang Ke was supported by Dongguan Science and Technology of Social Development Program [20211800904512], Dongguan Sci-tech Commissoner Program [20231800500352], Characteristic Innovation Projects for Ordinary Universities in Guangdong Province [2021KTSCX301].

Zhiping Jin was supported by Zhongshan Public Welfare Science and Technology Research Project [2021B2064, 2021B2068].

Zhibiao Liang was supported by General scientific research projects of Zhongshan Polytechnic [KYB2110].

Data availability statement

The data that has been used is from a publicly available repository.

Declaration of interest’s statement

The authors declare no competing interests.