Visual Cryptography
Hossein Hajiabolhassan
Department of Mathematical Sciences
Shahid Beheshti University
Tehran, Iran
Secret Sharing Scheme
A secret sharing scheme is a method of
dividing a secret S among a finite set of
participants.
only certain pre-specified subsets of
participants can recover the secret (Qualified
subsets).
secret
K out of n
 Consider a finite field GF(q) where q≥n+1 and
Choose a secret key s from GF(q) .
 Randomly choose s=a0, a1,…, ak-1 from GF(q),
 Freely choose distinct xi (1≤i≤n).
 Give to person i Secret share (xi, f(xi)) for all
(1≤i≤n).
Perfect Secret Sharing
 A secret sharing scheme is perfect if all
authorized subsets can reconstruct the secret
but no other subset can determine any
information about the secret.
This scheme is not perfect!
Visual Cryptography
Basic Definitions
 Let P={1,...,n } be a set of elements called
participants.
 2^P denote the set of all subsets of P.
 Q  2^P : members of qualified sets.
 F 2^P: members of forbidden sets, Q  F=.
 =(Q ,F) is called the access structure of the
scheme.
 _0 : Call all the minimal qualified sets of  basis
for the access structure :
_0={A Q : B Q for all B A, B≠A}.
Basic Definitions
 Secret Image: The Secret consists of a
collection of black and white pixels.
 Share: Secret image encode into n shadow
images in the form of the transparencies, called
shares, where each participant receives one
share.
 Subpixel: Each pixel is divided into a certain
number of subpixels.
Superimposing:
1
2
q
+
+
+
+
Generation of Shares
Generation of Shares
pixel
1
share1
share2
stack
random
2
1
2
Mathematical Model
(0,1,0,1,0)
(1,1,0,0,1)
Sticking
Representation
with Matrix
(1,1,0,1,1)
[
0 1 0 1 0
1 1 0 0 1
]
Mathematical Model
s11 s12  s1m
s 21 s 22  s2 m


1
2

s n1 s n 2  s nm
n
2 out of 2
Pixel
Probability
Shares
#1
#2
p  0 .5
p  0 .5
p  0 .5
p  0 .5
` of
Superposition
the two shares
[
1 0
1 0
]
C_0
[
0 1
0 1
]
[
1 0
0 1
]
C_1
Same Matrices
with
Same Frequency
[
0 1
1 0
]
Expansion & Contrast
The number of subpixels that each pixel of
the original image is encoded into on each
transparency is termed pixel expansion.
The difference measure between a black
and a white pixel in the reconstructed image
is called contrast.
[
0 1
0 1
][
1 0
1 0
Expansion = 2
]
[
1 0
0 1
][
0 1
1 0
]
Contrast=(2-1)/2=0.5
Visual Cryptography Scheme
Naor and Shamir, 1994
 Let =(Q, F) be an access structure on a set of n
participants. A - VCS_1 with expansion m and
contrast (m) consists of two collections of n×m
matrices C_0 and C_1 such that:
I. For any qualified subset X={i_1,…,i_k} and A ε C_0,
the or V of rows i_1,…,i_k of A satisfies w(V)  t_X(m).m ; whereas, for any B ε C_1 it results that
w(V)  t_X.
II. For any non-qualified subset X={i_1,…,i_t}. The two
collections of t×m matrices D_j, with j ε {0,1},
obtained by restricting each n×m matrix in C_j to
rows i_1,…,i_t are indistinguishable in the sense that
they contain the same matrices with the same
frequencies.
2 out of 2
D_0
C_0
[
0 1
0 1
] [
1 0
1 0
]
X={1,2}, W(V)=1
X={1}
D_1
C_1
[
1 0
0 1
] [
0 1
1 0
]
X={1,2}, W(V)=2
VCS with Basis Matrices
 Let =(Q, F) be an access structure on a set of n
participants. A basis for - VCS_2 with expansion m
and contrast (m) consists of two matrices S^0 and
S^1 such that:
I. For any qualified subset X={i_1,…,i_k}, the or V of
rows i_1,…,i_k of S^0 satisfies w(V)  t_X- (m).m ;
whereas, for S^1 it results that w(V)  t_X.
II. For any non-qualified subset X={i_1,…,i_t}. The two
t×m matrices D^j, with j ε {0,1}, obtained by
restricting rows i_1,…,i_t to S^j are equal up to a
permutation of columns.
K out of K
{1} {2} {3} {1,2,3}
[
{ } {1,2} {1,3} {2,3}
] [
]
1
1
0
0
1
1
0
1
1
0
S^1=. 2
0
1
0
1
S^0=. 2
0
1
0
1
3
0
0
1
1
3
0
0
1
1
C_1={A: A is a permutation column of S^1}
C_0={B: B is a permutation column of S^0}
K out of n scheme
 There is a k out of k scheme with
expansion 2k-1 and contrast α=2-k+1.
 In any k out of k scheme m≥2k-1 and α≤21-k.
 For any n and k, there is a k out of n VCS
with m=log n 2O(klog k), α=2Ώ(k).
General Access Structure
Question: Let  be a access structure. Is
there an -VCS?
Note that if there exists an -VCS then Q
should be monotone.
Theorem: Let  =(Q,F) be a monotone access
structure where F∩Q =, and let Z_M be the
family of maximal forbidden sets in F. Then
there exists a -VCS with expansion less
than or equal to
2^(|Z_M|-1).
Cumulative Array Method
 Let  =(Q,F) be a monotone access structure where
Q U F= 2^P.
Also, let F_1,… , F_t be maximal forbidden sets in F.
 Let S^0 and S^1 be basis of white matrix and black matrix
of t out of t VCS, respectively.
 Construct n×2^(t-1) white basis matrix C^0 and black
basis matrix C^1 of  as follows:
I. For any participant i, set the i-th row of C^0 be the or of
rows i_1,…,i_s of S^0 that i_1,…,i_s are rows of S^0 where
for any 1≤j≤s, “i’’ is not member of F_(i_j).
II. Similarly, construct C^1.
Cumulative Array Method
Example: Let P={1, 2, 3, 4}, _0={{1, 2}, {2, 3}, {3, 4}},
and Z_M={F_1,F_2, F_3}; F_1={1, 4} ,F_2={1, 3},
F_3={2, 4}. Hence,
1 1 0 0
S ^0  1 0 1 0
0 1 1 0
1 1 0 0
S ^1  1 0 1 0
1 0 0 1
0
1
C ^0  
1

1
1
1
C ^1  
1

1
1 1 0
1 1 0
1 1 0

0 1 0
0 0 1
1 1 0
1 0 1

0 1 0
New VCS, Color of Secret
Tzeng and Hu, 2002
Let =(Q, F) be an access structure on a set of n
participants. A - VCS_3 with expansion m and
contrast (m) consists of two collections of n×m
matrices C_0 and C_1 such that:
I. For any qualified subset X={i_1,…,i_k} and A ε C_0,
the or V of rows i_1,…,i_k of A satisfies w(V) = t_X;
whereas, for any B ε C_1 it results that w(V)  t_X-(m).m or
for any B ε C_1 w(V) ≤t_X- (m).m.
II. For any non-qualified subset X={i_1,…,i_t}. The two
collections of t×m matrices D_j, with j ε {0,1},
obtained by restricting each n×m matrix in C_j to
rows i_1,…,i_t are indistinguishable in the sense that
they contain the same matrices with the same
frequencies.
New VCS, Color of Secret
Tzeng and Hu, 2002
Extended VCS
 In 1998, S. Droste introduced an extension
of the visual cryptography. In fact, he has
presented an extended VCS in which every
combination of the transparencies can
contain independent information.
 In 2001, G. Ateniese, C. Blundo, A. Santis
and D.R. Stinson has introduced another
version of extended visual cryptography in
which every share have to be an image.
Extended VCS
Droste 1998
 Consider multi-sets C^T (T is a subset of
2^P\{ф}) of n×m Boolean matrices which
satisfy the following conditions.
1. For all X={i_1,…,i_k} and A ε C^T, where
X is a member of T, the or V of rows
i_1,…,i_t of A satisfies w(V)  t_X.
2. For all X={i_1,…,i_k} and A ε C^T, where
X is not a member of T, the or V of
rows i_1,…,i_k of A satisfies w(V)  t_X(m).m.
3. The condition of Security!
Extended VCS
Droste 1998
1
0
C^{{1,2}}=
1
1
0
0
1
1
0
0
0
1
1
1
C^{{1},{1,2}}=
1
1
0
0
1
1
0
0 1
1 1
0
0
1
1
0
C^{{2},{1,2}}=
1
1
1
0
1
1
0
C^{{1},{2}}= 1 1
0
0
1
C^{{1},{2},{1,2}}= 1
1
1
1
1
0
1
1
0
0
1
0
1
1
0
0
C^{{1}}=
1
1
1
0
C^{{2}}=
C^{}=
1
1
Extended VCS
G. Ateniese, C. Blundo, A. Santis and D.R. Stinson, 2001
Extended VCS
Droste 1998
1
0
C^{{1,2}}=
1
1
0
0
1
1
0
0
0
1
1
1
C^{{1},{1,2}}=
1
1
0
0
1
1
0
0 1
1 1
0
0
1
1
0
C^{{2},{1,2}}=
1
1
1
0
1
1
0
C^{{1},{2}}= 1 1
0
0
1
C^{{1},{2},{1,2}}= 1
1
1
1
1
0
1
1
0
0
1
0
1
1
0
0
C^{{1}}=
1
1
1
0
C^{{2}}=
C^{}=
1
1
Extended VCS
Droste 1998
1
0
C^{{1,2}}=
1
1
0
0
1
1
0
0
0
1
1
1
C^{{1},{1,2}}=
1
1
0
0
1
1
0
0 1
1 1
0
0
1
1
0
C^{{2},{1,2}}=
1
1
1
0
1
1
0
C^{{1},{2}}= 1 1
0
0
1
C^{{1},{2},{1,2}}= 1
1
1
1
1
0
1
1
0
0
1
0
1
1
0
0
C^{{1}}=
1
1
1
0
C^{{2}}=
C^{}=
1
1
Colored Visual Cryptography
The generalized “or” of elements (colors) in
{a_0, a_1, . . . , a_{c−1}} equals a_i if all colors
are equal to a_i, otherwise it equals BLACK
Color.
Colored Visual Cryptography
VERHEUL and VAN TILBORG, 1997
 Let =(Q, F) be an access structure on a set of n participants.
The c collections of n×m matrices C_0, C_1, . . . , C_{c−1}
constitute a c-colour - VCS_1 with pixel expansion m, if
there exist two integers h and l such that h > l satisfying:
I. For any qualified subset X={i_1,…,i_k} and A ε C_i, the
generalized or V of rows i_1,…,i_k of A satisfies
Z_i(V)  h while for any j≠ i, Z_j(V) ≤ l.
II. For any non-qualified subset X={i_1,…,i_t}. The collections of
t×m matrices D_j, obtained by restricting each n×m
matrix in C_j to rows i_1,…,i_t , are indistinguishable in the
sense that they contain the same matrices with the same
frequencies.
Colored Visual Cryptography
2 out of 5
Colored Visual Cryptography
Yang and Laih, 2000
Probabilistic Visual Cryptography
K out of n, Yang 2004
A k out of n ProbVSS_1 scheme can be shown as two
multi-sets, C_0 and C_1; consisting of n×1 matrices which
satisfies the following conditions:
 For these matrices in the multi-set C_0 (resp. C1), the
‘‘OR’’-ed value of any k-tuple column vector V is L(V).
These values of all matrices form a multi-set E_0 (resp.
E_1), respectively.
The two multi-sets E_0 and E_1 satisfy that p_1≥p_t and
P_0≤p_t- α, where p_0 and p_1 are the appearance
probabilities of the ‘‘1’’ (black color) in the multi-sets E_0
and E_1, respectively.
For any subset {i_1,…,i_t} of participants with t<k the
p_0 and p_1 are the same.
Probabilistic Visual Cryptography
K out of n, Yang 2004
2 out of 2
Probabilistic Visual Cryptography
K out of n, Yang 2004
2 out of 3
Rotating 72o
Staking
Staking
Share 2
Share 1
Secret 1 “VISUAL”
Secret 2 “SECRET”
 W.G. Tzeng and C.M. Hu, 2002, introduced
another model for visual cryptography in which
just minimal qualified subsets can recover the
shared image by stacking their transparencies.
 (C. Blundo, S. Cimato, and A. De Santis, 2006)
Let =(Q, F) be an access structure. The best pixel
expansion of  -VCS_3 (basis matrices) satisfies
| _0 |
m3 () 
.
2
 (H. Hajiabolhassan and A. Cheraghi) Let =(Q, F) be an
access structure. Also, assume that there exist disjoint
qualified sets A_1, . . . ,A_t such that for any qualified
set B ⊆ A_1∪···∪A_t, one should have A_i ⊆ B for some
1 ≤ i ≤ t, i.e., A_i’s constitute an induced matching in Q.
Then
t
min{m 2 (), m 3 ()}   2
|A i |-1
 (t  1)
i 1
 One can consider another model for visual
cryptography (VCS_4) in which minimal qualified
subsets can recover the secret. In fact, we don’t mind
whether non-minimal qualified subsets can obtain the
secret.
 A graph access structure is an access structure for
which the set of participants is the vertex set V (G) of a
graph G = (V (G),E(G)), and the sets of participants
qualified to reconstruct the secret image are precisely
those containing an edge of G.
 A strong edge coloring of a graph G is an edge coloring
in which every color class is an induced matching. The
strong chromatic index s′(G) is the minimum number of
colors in a strong edge coloring of G.
 (H. Hajiabolhassan and A. Cheraghi) Let G be a nonempty graph. Then
m_4(G) ≤ min{2bc(G), 2s′(G)}.
Thanks for
your attention!