Vi sual Cryptography

Moni Naor *and Adi Shami r

Depart ment of Applied Math and Comput er Science, Weizmanu Institute, Rehovot
76100, Israel. e-maih {naor,shamir}@wisdom.weizmann.ac.il
Ab s t r a c t . In this paper we consider a new type of cryptographic scheme,
which can decode concealed images without any cryptographic compu-
tations. The scheme is perfectly secure and very easy to implement. We
extend it into a visual variant of the k out of n secret shazing problem,
in which a dealer provides a transparency to each one of the n users; any
k of t hem ca~ see the image by stacking their trazasparencies, but any
k - 1 of t hem gain no information about it.
1 I n t r o d u c t i o n
I n t hi s paper we consi der t he pr obl em of encr ypt i ng wr i t t en mat er i al ( pr i nt ed
t ext , ha ndwr i t t e n not es, pi ct ures, et c. ) in a per f ect l y secure way which can be
decoded di rect l y by t he h u ma n vi sual syst em. The basi c model consi st s of a
pr i nt ed page of ci pher t ext (whi ch can be sent by mai l or faxed) and a pr i nt ed
t r ans par ency (whi ch serves as a secret key). The ori gi nal cl ear t ext is reveal ed by
pl aci ng t he t r ans par ency wi t h t he key over t he page wi t h t he ci pher t ext , even
t hough each one of t he m is i ndi st i ngui shabl e f r om r a ndom noise. The s ys t em is
si mi l ar t o a one t i me pad in t he sense t ha t each page of ci pher t ext is decr ypt ed
wi t h a di fferent t r anspar ency. Due t o i t s si mpl i ci t y, t he s ys t em can be used by
anyone wi t hout any knowl edge of cr ypt ogr aphy and wi t hout per f or mi ng any
cr ypt ogr aphi c comput at i ons .
The best way t o vi sual i ze t he vi sual cr ypt ogr aphi c scheme is t o consi der a
concret e exampl e. At t he end of t hi s ext ended abs t r act we enclose t wo r a ndom
l ooki ng dot pat t er ns . To decr ypt t he secret message, t he r eader shoul d phot ocopy
each pa t t e r n on a s epar at e t r anspar ency, align t he m carefully, and pr oj ect t he
r esul t wi t h an over head pr oj ect or .
Thi s basi c model can be ext ended i nt o a vi sual var i ant of t he k out of n
secret shar i ng pr obl em: Gi ven a wr i t t en message, we woul d like t o gener at e n
t r ans par enci es so t ha t t he ori gi nal message is vi si bl e i f any k (or mor e) of ' t he m
are st acked t oget her , but t ot al l y i nvi si bl e i f fewer t ha n k t r anspar enci es are
st acked t oget her (or anal ysed by any ot her met hod) . The ori gi nal encr ypt i on
pr obl e m can be consi dered as a 2 out of 2 secret shar i ng pr obl em.
The ma i n resul t s of t hi s paper (besides i nt r oduci ng t hi s new pa r a di gm of
cr ypt ogr aphi c schemes) i ncl ude pr act i cal i mpl ement at i ons of a k out of n vi sual
secret shar i ng scheme for smal l val ues of k and n, as well as efficient as ympt ot i c
const r uct i ons whi ch can be pr oven opt i ma l wi t hi n cert ai n classes of schemes.
* Research support ed by an Alon Fellowship.
2 Th e Mo d e l
The si mpl est versi on of t he vi sual secret shar i ng pr obl em assumes t hat t he mes-
sage consi st s of a col l ect i on of bl ack and whi t e pi xel s and each pi xel is handl ed
s epar at el y 2. Each ori gi nal pi xel appear s in n modi fi ed versi ons (called shares),
one for each t r anspar ency. Each share is a collection of m bl ack and whi t e sub-
pixels, whi ch are pr i nt ed in close pr oxi mi t y t o each ot her so t ha t t he huma n
vi sual s ys t e m averages t hei r i ndi vi dual bl ack/ whi t e cont r i but i ons. The resul t -
ing s t r uct ur e can be descri bed by an n x m Bool ean ma t r i x S = [sij] where
s i j --- 1 iff t he j t h subpi xel in t h e / t h t r ans par ency is bl ack. When t r ans par en-
cies i l , i 2, . 9 9 i~ are st acked t oget her in a way which pr oper l y al i gns t he subpi xel s,
we see a combi ned shar e whose bl ack subpi xel s are represent ed by t he Bool ean
"or" of rows i l , i 2 , . . . i t in S. The grey level of t hi s combi ned share is pr opor -
t i onal t o t he Ha mmi n g wei ght H ( V ) of t he "or "ed m- vect or V. Thi s grey level is
i nt er pr et ed by t he vi sual s ys t em of t he users as bl ack i f H ( V ) > d and as whi t e
i f H ( V ) < d - c~m for some fixed t hr eshol d 1 < d < m and rel at i ve difference
c ~>0 .
Thi s f r amewor k resembl es t he f r amewor k of l i near codes, wi t h t he i mpor t a nt
difference t ha t t he under l yi ng al gebrai c s t r uct ur e is a semi - gr oup r at her t han a
group. I n par t i cul ar , t he vi sual effect of a bl ack subpi xel in one of t he t r ans par en-
cies cannot be undone by t he colour of t ha t subpi xel in ot her t r anspar enci es
whi ch are l ai d over it. Thi s monot oni ci t y rules out c ommon encr ypt i on t ech-
ni ques whi ch add r a ndom noise t o t he cl ear t ext dur i ng t he encr ypt i on process,
and s ubt r act s t he s ame noise f r om t he ci pher t ext dur i ng t he decr ypt i on process.
I t al so rul es out t he mor e nat ur al model in which a whi t e pi xel is r epr esent ed
by a compl et el y whi t e col l ect i on of subpi xel s and a bl ack pi xel is r epr esent ed by
a compl et el y bl ack collection of subpi xel s, and t hus we have t o use a t hr eshol d
d and r el at i ve difference ~ > 0 t o di st i ngui sh bet ween t he colours.
De f i n i t i o n 1. A sol ut i on t o t he k out of n vi sual secret shar i ng scheme consi st s
of t wo col l ect i ons of n x m Bool ean mat r i ces Co and C1. To share a whi t e pixel,
t he deMer r a ndoml y chooses one of t he mat r i ces in Co, and t o shar e a bl ack
pixel, t he deal er r a ndoml y chooses one of t he mat r i ces in C1. The chosen ma t r i x
defines t he col our of t he m subpi xel s in each one of t he n t r anspar enci es. The
sol ut i on is consi dered val i d i f t he following t hr ee condi t i ons are met :
1. For any S in Co, t he "or" V of any k of t he n rows satisfies H ( V ) < d - ~ . m.
2. For any S in C1, t he "or" V of any k of t he n rows satisfies H ( V ) > cl.
3. For any subset { i l , i ~ . , . . . i q } of {1, 2 . . . . n} wi t h q < k, t he t wo col l ect i ons of
q m mat r i ces Dt for t E {0, 1} obt ai ned by rest ri ct i ng each n m ma t r i x
in C~ (where t = 0, l ) t o rows i l , i2 . . . . , iq are i ndi st i ngui shabl e in t he sense
t ha t t hey cont ai n t he s ame mat r i ces wi t h t he s ame frequencies.
Condi t i on 3 i mpl i es t hat by i nspect i ng fewer t han k shares, even an i nfi ni t el y
powerful cr ypt anal ys t cannot gai n any advant age in deci di ng whet her t he shar ed
2 It is conceivable t hat handling larger groups of pixels simultaneously yields bet t er
results
pi xel was whi t e or bl ack. I n mos t of our const ruct i ons, t her e is a funct i on f such
t ha t t he combi ned shares f r om q < k t r anspar enci es consist of all t he V' s wi t h
H( V) = f ( q) wi t h uni f or m pr obabi l i t y di st r i but i on, regardl ess of whet her t he
mat r i ces were t aken f r om Co or C1. Such a scheme is called uniform. The first
t wo condi t i ons are called contrast and t he t hi r d condi t i on is called security.
The i mpor t a nt pa r a me t e r s of a scheme are:
- m, t he numbe r of pi xel s in a share. Thi s represent s t he loss in resol ut i on
f r om t he or i gi nal pi ct ur e t o t he shar ed one. We woul d like m t o be as smal l
as possi bl e.
- a , t he r el at i ve difference in wei ght bet ween combi ned shares t ha t come f r om
a whi t e pi xel and a bl ack pixel in t he ori gi nal pi ct ure. Thi s r epr esent s t he
loss in cont r ast . We woul d like a t o be as l arge as possi bl e.
- r, t he size of t he col l ect i ons Co and C1 ( t hey need not be t he s ame size, but in
all of our const r uct i ons t hey are). log r represent s t he numbe r of r a ndom bi t s
needed t o gener at e t he shares and does not effect t he qual i t y of t he pi ct ure.
Re s u l t s : We have a numbe r of const r uct i ons for specific val ues of k and n. For
general k we have a const r uct i on for t he k out k pr obl em wi t h m = 2 k-1 and
= 2k1_1 and we have a pr oof of opt i mal i t y of t hi s scheme. For general k and n
1
we have a const r uct i on wi t h m = l ogn 9 2 ~176 and a = ~--a~-
3 E f f i c i e n t s o l u t i o n s f o r s ma l l k a n d n
The 2 out of n vi sual secret shar i ng pr obl em can be solved by t he following
col l ect i ons of n x n mat r i ces:
Co = {all t he mat r i ces obt Mned by pe r mut i ng t he col umns of
t 00
C1 = {all t he mat r i ces obt ai ned by per mut i ng t he col umns of
and n - 1
Ha mmi n g
Ha mmi n g
t wo cases
Any single shar e in ei t her Co or C1 is a r a ndom choice of one bl ack
whi t e subpi xel s. Any t wo shares of a whi t e pi xel have a combi ned
wei ght of 1, wher eas any t wo shares of a 1 pixel have a combi ned
wei ght of 2, whi ch l ooks darker. The vi sual difference bet ween t he
becomes cl earer as we st ack addi t i onal t r anspar enci es.
The ori gi nal pr obl e m of vi sual cr ypt ogr aphy is t he speci al case of a 2 out of
2 vi sual secret shar i ng pr obl em. I t can be solved wi t h t wo subpi xel s per pixel,
but in pr act i ce t hi s can di st or t t he aspect r at i o of t he ori gi nal i mage. I t is t hus
hori zont al shares vertical shares di agonal shares
Fi g. 1.
r ecommended t o use 4 subpixels arranged in a 2 x 2 array where each share has
one of t he visual forms in Fi gure 1. A whi t e pixel is shared i nt o two identical
arrays from t hi s list, and a black pixel is shared i nt o two compl ement ar y arrays
from t hi s list. Any single share is a r andom choice of two black and two whi t e
subpixels, which looks medi um grey. When two shares are stacked t oget her, t he
result is ei t her medi um grey (which represents white) or compl et el y black (which
represents black).
The next case is t he 3 out of 3 visual secret shari ng problem, which is solved
by t he following scheme:
[ 0011]
C0 = { a l l t h e ma t r i c e s obt ai ned by per mut i ng the col umns of | 01011 }
k0110J
[ 1100]
el = {all t he mat ri ces obt ai ned by per mut i ng the col umns of | 1010| }
[1001J
Note t hat t he six shares described by t he rows of Co and C1 are exact l y t he six
2 x 2 arrays of subpixels from Fig. 1. Each mat r i x in either Co or C1 cont ai ns one
hori zont al share, one vertical share and one di agonal share. Each share cont ai ns
a r andom selection of two black subpixels, and any pair of shares from one of
t he mat ri ces cont ai ns a r andom selection of one common black subpixel and
two i ndi vi dual black subpixels. Consequently, t he analysis of one or two shares
makes it impossible t o di st i ngui sh between Co and Cl. However, a stack of three
t ransparenci es from Co is onl y 3/ 4 black, whereas a stack of three t ransparenci es
from C1 is compl et el y black.
The following scheme generalizes this 3 out of 3 scheme i nt o a 3 out of n
scheme for an ar bi t r ar y n >_ 3. Let B be t he black n x (n - 2) mat r i x which
cont ai ns onl y l ' s, and let I be t he i dent i t y n x n mat r i x which cont ai ns l ' s on t he
di agonal and 0' s elsewhere. Let BI denote t he n x (2n - 2) mat r i x obt ai ned by
concat enat i ng B and I, and let c(BI) be the Boolean compl ement of the mat r i x
BI. Then
Co = {all t he mat ri ces obt ai ned by per mut i ng t he columns of c(BI)}
C1 = {all t he mat ri ces obt ai ned by per mut i ng t he columns of BI}
has t he following propert i es: Any single share cont ai ns an ar bi t r ar y collection
of n - 1 bl ack and n - 1 whi t e subpixels; any pai r of shares have n - 2 common
bl ack and t wo i ndi vi dual bl ack subpixels; any stacked t ri pl et of shares f r om go
has n bl ack subpixels, whereas any st acked t ri pl et of shares f r om C1 has n + 1
bl ack subpixels.
The 4 out of 4 visual secret shari ng pr obl em can be solved by t he shares
descri bed in Fi gur e 2 (al ong wi t h all t hei r per mut at i ons) .
shares of a whi t e pi xel
Fi g. 2.
shares of a bl ack pi xel
Any single share cont ai ns 5 bl ack subpixels, any st acked pai r of shares con-
t ai ns 7 black subpixels, any st acked t ri pl et of shares cont ai ns 8 black subpixels,
and any st acked quadr upl e of shares cont ai ns ei t her 8 or 9 black subpixels, de-
pendi ng on whet her t he shares were t aken f r om go or gl . It is possible t o reduce
t he number of subpi xel s f r om 9 t o 8, but t hen t hey cannot be packed i nt o a
squar e ar r ay wi t hout di st or t i ng t hei r aspect rat i o.
4 A g e n e r a l k o u t o f k s c h e me
We now describe t wo general const ruct i ons which can solve any k out of k visual
secret shar i ng pr obl em by usi ng 2 k and 2 k-1 subpixels respectively. We t hen
prove t hat t he second const r uct i on is opt i mal in t hat any k out k scheme must
use at l east 2 k-1 pixels.
Co n s t r u c t i o n 1
To define t he t wo collections of mat r i ces we make use of two lists of vect ors
j o, j o , . . . j o and J11, j 1 , . . . j ~ . Let j o, j o , . . . j o be vect ors of l engt h k over
GF[ 2] wi t h t he pr oper t y t hat every k - 1 of t hem are l i nearl y i ndependent over
GF[ 2 ] , but t he set of all k vect or s is not i nde pe nde nt . Such a col l ect i on can
be easi l y c ons t r uc t e d, e. g. let j o = 0 i - l l 0 k - i f or 1 < i < k and J~ = l k - 1 0 .
Let J~, J ~ , . . . J~ be vect or s of l engt h k over GF[ 2 ] wi t h t he pr ope r t y t h a t t he y
are l i near l y i nde pe nde nt over GF[ 2] . ( Thi s can be t h o u g h t of as a fi rst or der
Reed- Mul l er code [7])
Ea c h l i st defi nes a k x 2 k ma t r i x S t f or t E {0, 1} a nd t he col l ect i ons Co a nd
C1 ar e o b t a i n e d by p e r mu t i n g t he c ol umns of t he c or r e s pondi ng ma t r i x i n all
possi bl e ways. We i ndex t he c ol umns of S t by vect or s of l engt h k over GF[ 2] .
For t E {0, 1} l et S ~ be defi ned as fol l ows: S t [ i , x ] - < J t , x > f or any 1 < i < k
a n d a ny vect or x of l engt h k over GF[ 2 ] wher e < x, y > denot es t he i nner
p r o d u c t over GF[ 2 ] .
L e mma 2. T h e above s c h e me i s a k oul o f k s c h e me wi t h p a r a me t e r s m = 2 k,
= 1/ 2 k a n d r = 2k! .
P r o o f : I n or der t o show cont r as t , not e t h a t i n ma t r i x S O t her e ar e t wo c ol umns
t h a t ar e al l zero; i n t he e xa mpl e gi ven t heses are t he c ol umn i ndexed by x = O k
a nd t he c o l u mn i ndexed by x = 0 k - l l . On t he ot her ha nd, i n S 1 t her e is onl y
one c o l u mn t h a t is all 0, t he one c or r e s pondi ng t o x = O k. Ther ef or e i n any
p e r mu t a t i o n of S O t he "or" of t he k r ows yi el ds 2 k - 2 ones, wher eas i n any
p e r mu t a t i o n o f S 1 t he "or ~ of t he k r ows yi el ds 2 k - 1 ones.
I n or der t o s how secur i t y, not e t h a t t he vect or s c or r e s pondi ng t o a ny k - 1
r ows in b o t h S O nd S 1 are l i near l y i nde pe nde nt over GF[ 2] . Ther ef or e i f one
consi der s t he r ows as s ubs et s of a g r o u n d set of size 2 k, t he n ever y i nt er s ect i on
of k - 1 r ows or t hei r c o mp l e me n t has t he s a me size, t wo. ( Not e t h a t we i ncl ude
c o mp l e me n t e d set s, a nd t hus i f all possi bl e i nt er sect i ons of k - 1 ar e t he s a me ;
t he n all s mal l er i nt er s ect i ons ar e t he s a me as well. ) Hence a r a n d o m p e r mu t a t i o n
of t he c ol umns yi el ds t he s a me di s t r i but i on r egar dl ess of whi ch k - 1 r ows were
chos en ( pr ovi de d t he c or r e s pondi ng vect or s ar e l i near l y i nde pe nde nt ) . []
C o n s t r u c t i o n 2
We now s how a sl i ght l y be t t e r s cheme wi t h p a r a me t e r s m = 2 k - l , ol =
1/ 2 k- 1 a n d r = 2 k - l ! . Cons i der a g r o u n d set W = {el , e 2 , . . , ek} of k el ement s
a n d l et 7r l , Tr 2, . . . r 2~- 1 be a l i st o f all t he s ubs et s of even c a r di na l i t y a nd l et
or1, a ~ , . . . a 2 k - 1 be a l i st of all t he subset s of W o f o d d c a r di na l i t y ( t he or der is
n o t i mp o r t a n t ) .
Ea c h l i st defi nes t he f ol l owi ng k x 2 k- 1 ma t r i c e s S o and SI : For 1 < i < k
a nd 1 < j < 2 k- 1 l et S ~ = 1 i f f ei e 7rj and S l [ i , j ] = 1 i f f e i E a j .
As i n t he c ons t r uc t i on above, t he col l ect i ons Co a nd C1 ar e obt a i ne d by per -
mu t i n g al l t he c ol umns of t he c or r e s pondi ng ma t r i x.
L e mma 3 . T h e above s c h e me i s a k out o f k s c h e me w~th p a r a me t e r s m = 2 k - l ,
a = 1/ 2 k- 1 a n d r = 2k- 1! .
P r o o f : I n or der t o s how cont r as t , not e t he i n ma t r i x S O t her e is one c ol umn
t h a t is all zer o, t he one i ndexed by t he e mp t y set . On t he ot he r ha nd, i n S 1
t her e is no c o l u mn t h a t is all 0. Ther ef or e i n a ny p e r mu t a t i o n of S o t he "or" of
t he k rows yi el ds onl y 2 k- 1 - 1 ones, whereas in any pe r mut a t i on of S 1 t he "or"
of t he k rows yi el ds 2 k- 1 ones.
In or der t o show security, not e t ha t i f one exami nes any k - 1 rows in ei t her
S o and S 1 t hen t he s t r uct ur e di scovered is si mi l ar: consider t he rows as subset s
of a gr ound set of size 2k-1; ever y i nt ersect i on of k - 1 rows or t hei r compl ement
has t he s ame size, t wo. Hence a r a ndom pe r mut a t i on of t he col umns yi el ds t he
s ame di st r i but i on regardl ess of whi ch k - 1 rows were chosen.
[]
Up p e r b o u n d o n c~:
We show t ha t c~ mus t be exponent i al l y smal l as a f unct i on of k and, in fact ,
get a t i ght bound t ha t a >__2 k- 1. The key combi nat or i al f act used is t he following
(see [5, 6]: gi ven t wo sequences of set s A1, A2 , . . . Ak and B1, B2 , . . . B/c of some
gr ound set G such t ha t for every subset U C {1, ..k} of size at mos t k - 1 we have
] [ q i ~ u A i l = ] N i e u B i l , t hen I U,k=l Ail < 2L1 9 IGI + ] to~=l Bi l . I n ot her words,
if t he i nt er sect i ons of t he Ai ' s and Bi ' s agree in size for all subset s smal l er t han
k el ement s, t hen t he difference in t he uni on cannot be t oo l arge.
Consi der now a k out k scheme C wi t h pa r a me t e r s m, a and r. Let t he t wo
col l ect i ons be Co and C1. We const r uct f r om t he collections t wo sequences of set s
A1, A2, 9 9 9 Ak and B1, B2, . 9 9 Bk. The gr ound set is of size m. r and i t s el ement s
are i ndexed by (x, y) where 1 < x < r and 1 < y < m. El ement (x, y) is in Ai iff
S ~ = 1 and el ement ( x, y) is in B i i f f S ~ [ i y ] = 1.
We cl ai m t ha t for any U C {1, ..k} of size q < k t he equal i t y I N i e u A i ] =
[ [ ' ) i e u B i ] holds. The secur i t y condi t i on of C i mpl i es t hat we can const r uct a 1-1
ma p p i n g bet ween all t he q x m mat r i ces obt ai ned f r om consi deri ng onl y rows
cor r espondi ng t o U in Co and t he q m mat r i ces of C1 such t ha t any t wo mat ched
mat r i ces are i dent i cal . ( St r i ct l y speaki ng, t he securi t y condi t i on is not st r ong
enough t o i mpl y it, but gi ven any scheme we can convert it i nt o one t ha t has
t hi s pr ope r t y wi t hout changi ng a and m. ) Ther ef or e when consi deri ng ] ~ i e v Ail
and ] N i e u B i l t he cont r i but i on of each me mb e r of a pai r of mat ched mat r i ces
is i dent i cal and hence [ Ni e v A i l = I ~ie~7 Bi l . Appl yi ng now t he combi nat or i al
f act ment i oned above yi el ds t ha t [ U/~=I B i [ <_ 2 k l - , . r m + [ uk=l A i [ which means
t ha t for at l east one ma t r i x in C1 and one ma t r i x in C0 t he difference bet ween
t he Ha mmi n g wei ght of t he "or" of t hei r rows is at mos t 2~-1 "m. Hence we have
T h e o r e m4 . I n a n y k o u t k s c h e m e a <<_ ~kl_~ a n d r e > _ 2 ~ - 1 .
5 A g e n e r a l k o u t o f n s c h e me
I n t hi s sect i on we const r uct a k out of n scheme. Wh a t we show is how t o go
f r om a k out of k scheme t o a k out of n scheme.
Let C be an k out of k vi sual secret shari ng scheme wi t h pa r a me t e r s m, r, c~.
The scheme C consi st s of t wo col l ect i ons of k~x m Bool ean mat r i ces Co =
T ~ T ~ ~ and Cl = T~, T~ , . . . T~ . Fur t her mor e, assume t he scheme is uni-
f or m, i.e. t her e is a f unct i on f ( q ) such t hat for any ma t r i x T/t where t E {0, 1}
and 1 < i < r and for every 1 < q < k - 1 rows of T/t t he Ha mmi n g wei ght of
t he "or" of t he q rows is f ( q ) . Not e t hat all our previ ous const r uct i ons have t hi s
pr oper t y.
Let H be a col l ect i on of s f unct i ons such t ha t
1. Vh E H we have h : {1. . n} ~-* {1..k}
2. For all subset s B C {1..n} of size k and for all 1 < q _< k t he pr obabi l i t y
t ha t a r a ndoml y chosen h E H yields q different val ues on B is t he same.
Denot e t hi s pr obabi l i t y by/~q
We const r uct f r om C and H a k out of n scheme C ~ as follows:
- The gr ound set is V = U x H (i.e. it is of size m. l and we consi der its
el ement s as i ndexed by a me mb e r of U and a me mbe r of H) .
- Each 1 < t < r e is i ndexed by a vect or ( Q , t 2 . . . . Q ) where each 1 _< t i <_ r .
- The ma t r i x S~ for t = ( t l , t 2 , . . . Q ) ) where b E {0, 1} is defined as
S ~ [ i , (j , h)] = T ~ b j [ h ( i ) , j ]
L e mma 5. I f C i s a s c h e m e w i t h p a r a m e t e r s m , c~, r , t h e n C ~ i s a s c h e m e w i t h
p a r a m e t e r s r n ~ = m 9 g, a ' = a 9 ~ k , r ~ = r s
P r o o f : I n order t o show cont r ast , not e t ha t for any k rows in a ma t r i x S~ and
any h E H, if t he subset cor r espondi ng t o t he k rows is ma p p e d t o q < k different
val ues by h, t hen we know by t he as s umpt i on of uni f or mi t y t hat t he wei ght of
t he "or" of t he q rows in C is f ( q ) . The difference bet ween whi t e pi xel s and bl ack
pi xel s occur s onl y when h is 1 - 1 which happens a t / ~ of t he h E H and i t is
c~. m in t hi s case. Ther ef or e t he Ha mmi n g wei ght of an " o r " of k rows of a whi t e
pi xel is at mos t e ( ~ k . ( d - a m ) + ~ = ~ ~ q . f ( q ) ) and t he wei ght of a bl ack pi xel
k - 1
is ~ ( ~ k " d + ~ q = l flq " f ( q ) ) which means t ha t t he rel at i ve difference bet ween
t h e m is at l e a s t / ~ 9 a .
I n or der t o show securi t y not e t hat we are essent i al l y r epeat i ng g t i mes t he
scheme C where each i nst ance is i ndependent of all ot her i nst ances. Ther ef or e
f r om t he secur i t y of C we get t he securi t y of S. []
Co n s t r u c t i o n o f H:
One can const r uct H f r om a collection of k-wise i ndependent hash f unct i ons
(see e.g. [3], [4], [9]). Suppose t ha t H is such t hat for any k val ues xl , x 2 , . . , x k E
{1, . . n} t he k r a n d o m var i abl es defined by X1 - h ( x l ) , X 2 - h ( x 2 ) , . . . X k - -
h ( x k ) for a r a ndoml y chosen h E H are compl et el y i ndependent . Since t hey are
i ndependent , t he pr obabi l i t y t ha t t hey yield q different val ues is t he same, no
ma t t e r what xl , x 2 , . . , xk are. For a concret e exampl e, assume t hat k is a pr i me
( ot her wi se we have t o deal wi t h i t s fact ors), and let I be such t hat k I > n. The
f ami l y H is based on t he set of pol ynomi al s of degree k - 1 over GF[k-T], where
for ever h E H t her e is a cor r espondi ng pol ynomi al q(x), and h ( x ) = q ( x ) mo d k.
The size of H is about n k. The p r o b a b i l i t y / ~ t hat a r a ndom h is 1 - 1 on a set
k! (k/~) k ~ - ' :
of k el ement s is V > k~v~-s = :7~7~" We can t her ef or e concl ude by appl yi ng
Le mma 5:
T h e o r e m6 . F o r a n y ~ a n d k t h e r e e x i s t s a v i s u a l s e c r e t s h a r i n g s c h e m e w i t h
p a r a m e t e r s r n = n k . 2 ~ - 1 , (~ = ( 2 e ) - k / ~ - ~ ' k a n d r = nk( 2k- l ! ) .
5. 1 Re l a x i n g t h e c o n d i t i o n s o n H
Suppose now t ha t we rel ax Condi t i on 2 in t he definition of H t o t he following:
t her e exi st s an c such t ha t for all subsets B C {1..n} of size k and for all 1 < q < k
t he pr obabi l i t y t ha t a r andoml y chosen h E H yields q different values on B is
t he same t o wi t hi n c. As we shall see, t hi s leeway allows for much smal l er H' s .
Taki ng e t o be small, say smal l er t han c~k/ 4, cannot make a big difference
in t he qual i t y of our const ruct i on: The Hammi ng weight of an "or" of k rows of
a whi t e pixel is at most
k- 1
~ ( ( ~ + c) . ( d - a m ) + E ( / 3 q + e) . f ( q ) )
q=l
and t he weight of a bl ack pixel is at least
k- 1
~((1 - e ) / 3 k . d + E e l - c ) . ~ q . f ( q ) ) .
q=l
The rel at i ve difference bet ween bl ack and whi t e is t herefore at least/~k 9 c~ - 2e.
Not e t ha t t he secur i t y of t he scheme is not effected at all, since fewer t han k
shares never ma p t o k different values.
Co n s t r u c t i o n o f r e l a x e d H:
We use s ma l l - b z a s pr obabz l i t y s pac e s t o const r uct such a rel axed f ami l y (see
[8], [2], [3] for defi ni t i ons and const ruct i ons). A pr obabi l i t y space wi t h r andom
vari abl es t ha t are e-bias is an appr oxi mat i on t o a pr obabi l i t y space wi t h com-
pl et el y i ndpenedent r andom variables, in t hat t he bias (i.e. t he difference bet ween
t he pr obabi l i t y t ha t t her e par i t y is 0 and 1) is bounded by 9 (as opposed t o 0 in
t he compl et e i ndependence). Similarly, a pr obabi l i t y space which is k-wise e-bias
is an appr oxi mat i on t o k-wise i ndependent pr obabi l i t y spaces.
Assume t hat k is a power of 2. Let R be a k log k-wise 6-bias pr obabi l i t y
space on n log k r a ndom vari abl es which t akes values in {0, 1}. They are i ndexed
as Y/j for 1 < i < n and 1 < j < log k. Ther e are expl i ci t const ruct i ons of such
pr obabi l i t y spaces of size 2 ~ log k) log n (see [8] [1]).
Each f unct i on h corresponds t o a poi nt in t he pr obabi l i t y space, h ( x ) is t he
val ue of Yzl, Yz~, 9 9 Yx log k t r eat ed as a number bet ween 0 and 2 ~ - 1. It can be
shown t ha t for all x l , x 2 , . . . x k E {1, . . n} and for all Yl, Y2, . . . Yk E {0, . . 2 k - 1}
we ha ve
1 k k
k- ~ - 5 . < P r o b [ h ( ~ l ) = y l , h ( x 2 ) = Y 2 , . . . h ( x k ) = Yk] g + 6 k k.
1
Ther f or e t aki ng 6 = ~ i mpl i es t hat 9 __< 2 -2k and we get a scheme in which
t he number of subpi xel s grows onl y l ogar i t hmi cal l y wi t h t he number of shares
/2.
T h e o r e mT . F o r a n y n a n d k t h e r e e x z s t s a v i s u a l s e c r e t s h a r i n g s c h e me wi t h
p a r a m e t e r s m : l ogn 9 2 ~176 ot -- 2 - ~( k) .
10
6 E x t e n s i o n s
Ther e are ma ny possible enhancement s and ext ensi ons of t he basic model i nt ro-
duced in this paper. Consi der, for exampl e, t he pr obl em of visual encr ypt i on of
a cont i nuous t one i mage whose pixels have grey levels rangi ng f r om 0 t o 255. A
br ut e force sol ut i on can divide an original pixel wi t h grey level g i nt o an 8 x 8 ar-
r ay of g black and 256-g whi t e subpixels, and t hen encr ypt each black and whi t e
subpi xel separ at el y by di vi di ng it f ur t her i nt o an ar r ay of subsubpi xel s wi t h
our t echni ques. However, we propose a mor e di rect and el egant sol ut i on t o t he
cont i nuous t one vi sual encr ypt i on pr obl em by using t he following observat i on:
Fi g. 3.
f i r st s har e s e c ond s har e s t acked s har e
Each pixel in each one of t he two t ransparenci es is represent ed by a r ot at ed
hal f circle. When t he t wo hal f circles (wi t h r ot at i on angles a and b) are careful l y
aligned, t he super posi t i on of t he t wo hal f circles can range in colour f r om medi um
gr ey (represent i ng whi t e) t o compl et el y bl ack (represent i ng black) dependi ng on
t he rel at i ve angl e a - b bet ween t he two r ot at ed hal f circles (see Fi gure 3). I f we
choose for each pi xel in each share a r andom absol ut e r ot at i on angle (wi t h t he
desired rel at i ve r ot at i on angle bet ween t hem) , t hen each t r anspar ency will l ook
uni f or ml y grey and will reveal absol ut el y no i nf or mat i on, but t he super posi t i on
of t he t wo t ransparenci es will be a darker version of t he original cont i nuous t one
i mage.
Anot her i nt erest i ng ext ensi on of t he ori gi nal model deals wi t h t he pr obl em
of conceal i ng t he very existence of t he secret message. Is it possible t o send
(by mai l or fax) an i nnocent l ooki ng i mage of k house, super i mpose on it an
i nnocent l ooki ng t r anspar ency of a dog, and get a spy message wi t h no t r ace
of ei t her t he house or t he dog? To const r uct such a scheme, we consider 2 x 2
ar r ays of subpixels, and define two t ypes of shares (whi t e wi t h 2 bl ack subpixels
and black wi t h 3 black subpixels) and t wo t ypes of super i mposed resul t s (whi t e
wi t h 3 bl ack subpi xel s and bl ack wi t h 4 black subpixels). I f t he desired resul t is
whi t e, we use t he shares present ed in t he t op row of Fi gure 4 (al ong wi t h t hei r
per mut at i ons ) . I f t he desired resul t is black, we use t he shares present ed in t he
bot t om row of Fi gur e 4 (al ong wi t h t hei r per mut at i ons) :
The reader can easily convince hi msel f t hat each t r anspar ency can cont ai n
an ar bi t r ar y i mage which reveals no i nf or mat i on what soever about t he superi m-
posed i mage.
]]
t wo whi t e shares whi t e and black shares t wo black shares
two white shares white and black shares
Fig. 4. Use top row for white and bottom row for black
t wo bl ack shares
Ac knowl e dge me nt s
We thank Nati Linial for explaining his work on inclusion-exclusion, Ronny Roth
for careful reading of the paper and Ronen Basri for helping us with the figures.
R e f e r e n c e s
1. N. Alon, J. Bruck, J. Naor, M. Naor and R. Roth, Construction of asymptotically
good, low-rate error-correcting codes through pseudo-random graphs, IEEE Transac-
tions on Information Theory, 38 (1992), 509-516.
2. N. Alon, O. Goldreich, J. Hastad and R. Peralta, Simple constructions of almost
k-wise independent random variables, Random Structures and Algorithms 3 (1992),
289-304.
3. N. Alon and J. Spencer, The probabi l i st i e met hod, Wiley, 1992.
4. J. L. Carter and M. N. Wegman, Universal classes of hash functions, Journal of
Computer and System Sciences 18 (1979), pp. 143-154.
5. J. Kahn, N. Linial and A. Samorodnitsky, lnclusion-exlusion: exact and approxi-
mate, manuscript.
6. N. Linial and N. Nisan, Approximate inclusion-exlusion, Combinatorica 10, 1990,
pp. 349-365.
7. F. J. MacWilliams and N. J. A. Sloane, The t heor y of error cor r ect i ng codes,
North Holland, Amsterdam, 1977.
8. J. Naor and M. Naor, Small bias probability spaces: efficient constructions and ap-
plications, SI AM J. on Computing, vol 22, 1993, pp. 838-856.
9. M. N. Wegman and J. L. Carter, New hash functions and their use in authentication
and set equality, Journal of Computer and System Sciences 22, pp. 265-279 (1981).
12
Figure 5