Cheating and Prevention in Visual Secret Sharing 陳昱圻 博士 中央研究院 資訊科學研究所

Outline Secret Sharing Visual Secret Sharing (VSS) Cheating Problem in VSS How to Prevent Cheating Attacks Cheating Immune VSS Schemes Conclusions 2019/10/14

Treasure Map  Secret Sharing 2019/10/14

Treasure Map  Secret Sharing 2019/10/14

Secret Sharing Secret is the treasure or the map. How to share the secret? Three pieces of the treasure map. How to get the secret? Only three men together. Any one cannot. 2019/10/14

How to Share a Secret Secret sharing: distributing a secret among a group of participants. A dealer (a trusted party) allocates each of participants a share of the secret. The secret can only be recovered when the shares are combined together. 2019/10/14

Threshold Secret Sharing: 2-out-of-3 SS Dealer secret (2, 3)-secret sharing Captain America Iron Man Hulk shares secret retrieval 2019/10/14

Share Generation (2-out-of-3) Secret: K=3 [Shamir’s method] It is super easy to know (1, 5), (2, 7)  f(x)=2x+3 (1, 5), (3, 9)  f(x)=2x+3 (2, 7), (3, 9)  f(x)=2x+3 K=3 Pick a=2 Generate f(x)=ax+K f(x)=2x+3 (1, 5) (2, 7) (3, 9) Get three points (1, 5), (2, 7), (3, 9) a=2, K=3 2019/10/14

Share Generation (2-out-of-3) y S3=(3,9) (0,K=3) S2=(2,7) S1=(1,5) x Any two points can decide the line. 2019/10/14

How about k-out-of-n 1. Pick random ak-1, ak-2, …, a1 2. f(x) = ak-1xk-1 + ak-2xk-2 + … a1x + K 3. Generate (x1,y1), (x2,y2), …, (xn, yn) 4. Distribute (xi,yi) to User i 2019/10/14

Secret Recovery 1. Pick random ak-1, ak-2, …, a1 2. f(x) = ak-1xk-1 + ak-2xk-2 + … a1x + K 3. Generate (x1,y1), (x2,y2), …, (xn, yn) k users have (x1,y1), … (xk,yk) 4. Distribute (xi,yi) to User i 2019/10/14

Security Solve ak-1, …, a1, K We must have k following equations (x1, y1) y1 = ak-1(x1)k-1 + … a1(x1) + K … (xk, yk) yk = ak-1(xk)k-1 + … a1(xk) + K Any k-1 users cannot compute ak-1, …, a1, K Only k-1 equations. 2019/10/14

Outline Secret Sharing Visual Secret Sharing (VSS) Cheating Problem in VSS How to Prevent Cheating Attacks Cheating Immune VSS Schemes Conclusions 2019/10/14

Secret Sharing without … Visual Secret Sharing is secret sharing. No computation in share recovery We do not use any computer. Human visual system 2019/10/14

Treasure Map  VSS 2019/10/14

Visual Secret Sharing k-out-of-n VSS Secret: a secret image Total n participants Any k can get the secret Secret: a secret image Share generation, run by the dealer Share recovery, run by k participants 2019/10/14

Result of 2-out-of-3 VSS A secret retrieval: stacking secret image (2, 3)-visual secret sharing Transparencies (shares/shadows) secret retrieval: stacking 2019/10/14

Share Generation A Input: a secret image Deal with black and white pixels separately A pixel will be extended to some subpixels secret image Ex: 2-out-of-3 1 pixel 3 subpixels 2019/10/14

Share Generation Use base matrices Encode white pixels by using CW Encode black pixels by using CB Column permutation P1 P2 P3 2019/10/14

Share Generation (2,3)-VSS 2019/10/14

A secret image T1 T2 T3 2019/10/14

Share Recovery Stack the shares (OR operation) 1 T1 T1 T2 T1+T2 T3 1 T1 T1 T2 T1+T2 T3 2019/10/14

Share Recovery 1 1 1 1 1 1 T1 T1+T2 1 1 T2 T2+T3 1 1 1 1 T3 T1+T3 OR T1+T2 1 T2 1 1 T2+T3 T3 1 T1+T3 1 OR T1 1 T1+T2 1 T2 1 1 T2+T3 T3 1 T1+T3 1 2019/10/14

Review A secret retrieval: stacking secret image (2, 3)-visual secret sharing Transparencies (shares/shadows) secret retrieval: stacking 2019/10/14

(2, n) visual secret sharing Generally, we can use the following base matrices to construct a (2,n)-VSS. n n 2019/10/14

Outline Secret Sharing Visual Secret Sharing (VSS) Cheating Problem in VSS How to Prevent Cheating Attacks Cheating Immune VSS Schemes Conclusions 2019/10/14

Cheating Dishonest collusive parties want to fool an honest one Assume n-1 cheaters and one victim. Probability = 1 2019/10/14

Cheating We want to fool Hulk. 2019/10/14

How to do for white pixel Hulk’s is [1 0 0]. [1 0 0] [1 0 0] 2019/10/14

How to do for black pixel Hulk’s is [1 0 0]. [0 0 1] [0 1 0] 2019/10/14

The original pixel is black We want to fool Hulk. Ex: The original pixel is black [0 1 0] [0 0 1] [1 0 0] [1 0 0] [1 0 0] + [1 0 0] = [1 0 0] White Generate a fake transparency collusively. Give FT to Hulk 2019/10/14

Haha.. The real secret is A. Oh! The secret is F. Haha.. The real secret is A. FT+T3 T1+T2 2019/10/14

Result of Cheating in (2,3)-VSS T1+T2 T1+T3 T2+T3 FT FT+T3 2019/10/14

Outline Secret Sharing Visual Secret Sharing (VSS) Cheating Problem in VSS How to Prevent Cheating Attacks Cheating Immune VSS Schemes Conclusions 2019/10/14

Two directions to prevent The base matrices can inherently prevent cheating. The victim can verify that the share is valid or not. Share and blind authentication 2019/10/14

Outline Secret Sharing Visual Secret Sharing (VSS) Cheating Problem in VSS How to Prevent Cheating Attacks Cheating Immune VSS Schemes Conclusions 2019/10/14

Horng et al.’s scheme 1 Verification logo LC Stacking VC and SA, LC is shown on the left-top corner Stacking VC and SB, LC is shown on the right-top corner 2019/10/14

Logo Verification Insecure region 2019/10/14

Horng et al.’s scheme 2 2019/10/14

2-out-of-(n+1)-VSS T1 T1 T2 T2 T3 T3 WTH, T3 could be [0 1 0 0] or [0 0 0 1] T1 T2 Pr = ½ Black pixels are secure 2019/10/14

2-out-of-(n+1)-VSS T1 T1 T2 T2 T3 T3 Haha…, we know T3 is [1 0 0 0] T1 Pr = 1 White pixels are insecure 2019/10/14

Set a verification image Hu-Tzeng’s scheme B Set a verification image 2019/10/14

Hu-Tzeng’s scheme Shares generating (base matrices): CW= CB= Extra subpixels (verifying). 2019/10/14

Hu-Tzeng’s scheme Verification shares generating: If the pixel in VI is black, the sibpixels are [0 1 0 0 0]. (which corresponds to the permutation of basic matrices) If the pixel in VI is white, the sibpixels are [1 0 0 0 0]. Extra subpixels. 2019/10/14

Result Example: T1[1 0 1 0 0] (white) T1, T2, T3 T2[1 0 0 1 0] (white) T1+T2, T1+T3, T2+T3 T1+T2[1 0 1 1 0] (black) V1, V2, V3 V2[0 1 0 0 0] (white +) V1+T2, V1+T3, V2+T1 T1+V2[1 1 1 0 0] (black) V2+T3, V3+T1, V3+T2 2019/10/14

Problem of Hu-Tzeng’s scheme 2019/10/14

Problem of Hu-Tzeng’s scheme Black or white pixel is insecure in Hu-Tzeng’s scheme. V1 = [1 0 0 0 0] T1 = [1 0 1 0 0] Added columns Original columns T3 = [1 0 0 0 1] V2 = [0 1 0 0 0] T2 = [1 0 0 1 0] T1+T2 = [1 0 1 1 0] is Black 2019/10/14

Improvement (Chen et al.) Shares generating (base matrices): CW= CB= 2019/10/14

Share Authentication Horng et al. 2006: Verification logo and verification shares  Insecure Hu-Tzeng 2007: Added columns and verification shares  Insecure Chen et al. 2012: Added columns and verification shares  Secure 2019/10/14

Share Authentication Horng et al. 2006: Insecure Hu-Tzeng 2007: Insecure Chen et al. 2012: Secure Verification patterns with verification shares Verification logos without verification shares 2019/10/14

Verification patterns with verification shares T1 and V1 T2 and V2 T3 and V3 Number of patterns: n1 Number of patterns: n2 n1, n2 & n3 Number of patterns: n3 2019/10/14

This figure is from J. Vis. Commun. Image R. 23 (2012) page 1229. 2019/10/14

Verification logos without verification shares Logo: L1 Logo: L2 L1, L2 & L3 Logo: L3 2019/10/14

Ex: if T1+T? and no two D, we will find T? is FT. L1 = D, L2 = A, L3 = B, Secret = CC Ex: if T1+T? and no two D, we will find T? is FT. This figure is from Digital Signal Processing 23 (2013)page 1501. 2019/10/14

Comparisons Horng et al. (Verification logos): Insecure Hu-Tzeng (Added columns): Insecure Chen et al. (Improvement from HT): Secure Chen et al. (Verification patterns): Secure Chen et al. (Verification logos): Secure 2019/10/14

Outline Secret Sharing Visual Secret Sharing (VSS) Cheating Problem in VSS How to Prevent Cheating Attacks Cheating Immune VSS Schemes Conclusions 2019/10/14

Conclusions Cheating is a security issue in visual secret sharing. Two notions are presented to prevent cheating. Some cheating immune schemes are introduced. 2019/10/14

Thanks for your attention Yu-Chi Chen Institute of Information Science Academia Sinica wycchen@iis.sinica.edu.tw 2019/10/14