A Novel Hierarchical Secret Image Sharing Scheme with Multi-Group Joint Management

: With the spread of the Internet, the speed of data spread is getting faster and faster. It beneﬁts us a lot but also brings us many potential security problems, especially the problem of privacy leakage. For example, more and more people choose to store their private images in the cloud. Secret image sharing as a signiﬁcant method has been widely applied in protecting images in the cloud, which reduces the risks of data leakage and data loss. Generally, the secret image sharing scheme would encrypt the secret image into a series of shares and then stored these shares in a cloud. However, when this cloud has been attacked, the secret may meet a risk of leakage. A solution to solve the problem is that the generated shares are distributed storage in multiple clouds. Each cloud is independent and all clouds can have a collaboration to manage the secret image. To address this issue, a novel hierarchical secret image sharing scheme with multi-group joint management is proposed in this paper, which is suitable for protecting the security of the secret image by distributed storage over multiple clouds. In the proposed scheme, the secret image would be shared among multiple groups with different thresholds. The number of each group’s shareholders is determined by a sequence of thresholds. Therefore, the proposed scheme is a hierarchical secret image sharing scheme in which the secret image can be reconstructed if and only if the number of shares has met all threshold conditions. In addition, the generated shares have the same weight, which is more suitable for universal applicability. Both the system analysis and the simulation results prove that the proposed scheme is efﬁcient and practical.


Introduction
With the rapid development of information sciences, the speed of data spread is getting faster and faster. It benefits us a lot but also brings us many potential security problems in the aspect of privacy leakage. For example, the private photos disclosed on social networking sites [1][2][3], the electricity consumption data disclosed by a smart grid [4], the user's data in IoT [5,6] and so on. How to protect secret data transmitted in the network becomes an urgent problem.
Secret sharing (SS) is a significant encryption technology to protect secret data [7]. Generally speaking, the most commonly used secret sharing is the (t, n) SS scheme. It encrypts the secret data into n shares and then sent to n shareholders. Only no less than t shareholders with collaboration can decrypt and obtain the secret data. In this way, the secret data can be stored in a distributed way, which is more secure than centralized storage. With the rapid development of multimedia technology, secret sharing is used in a vast range of multimedia and secret image sharing is one of its important applications. In 2002, Thien and Lin proposed a (t, n) secret image sharing (SIS) scheme to protect the secret image [8]. In Thien and Lin's scheme, a secret image is first permuted and then divided into several blocks. Each block has t non-overlapped pixels which would be used to construct a (t − 1) degree sharing function f (x). The pixel value in each share is f (1), f (2), . . . , f (n), respectively. Finally, these random-looking shares would be sent to shareholders, respectively. In the reconstruction procedure, the secret image can be reconstructed based on Lagrange interpolation if and only if no less than t shareholders collaborate. Actually, all operations in Thien and Lin's scheme are over the finite field F p , where p is a prime number and is usually selected as p = 251. Therefore, all pixel values larger than 250 in the secret image are truncated to 250, which would result in a distortion of the reconstructed secret image. Soon afterward, Wu and Kanso et al. attempted to improve the quality of the reconstructed secret image in different ways [9,10], respectively. However, the reconstructed secret image still has a distortion problem. In fact, the problem of distortion in an image is not allowed in many areas, such as medical images and military drawings. In order to solve this problem, a Galois Field GF(p) would be employed in secret image sharing to acquire a lossless secret image. Recently, most of secret image sharing schemes [11][12][13] choose the finite field GF(2 8 ) as the prime polynomial for a gray image, which corresponds to the irreducible polynomial is Except by Lagrange interpolation, secret sharing can also be realized in many ways. Yan et al. provided a secret image sharing with a general access structure based on Chinese remainder theorem (CRT) [14]. Jia et al. proposed a novel secret sharing scheme based on CRT in which the threshold is changeable [15]. Mashhadi and Samaneh proposed a secure publicly verifiable and proactive secret sharing scheme based on bilinear pairings and monotone span programs [16]. Deshmukh et al. proposed an efficient and secure multiple secret sharing scheme based on boolean XOR and arithmetic modulo [17].
All of the schemes discussed above require all shareholders belonging to a group, such as a party, a company or a government. Actually, the secret image may be managed jointly by multiple groups. For example, all the above schemes assume that each shareholder is considered to have the same priority. Actually, many scenarios require to assign different privileges to different participants. It is necessary to develop the secret image sharing such that the generated shares in several groups can be allocated with different weights. Hierarchical secret image sharing (HSIS) solves this problem. In 2007, Tassa provided a method for constructing a hierarchical secret sharing scheme which constructs a polynomial from a set of unstructured points and derivative values [18]. Employing Tassa's hierarchical secret sharing scheme, Guo et al. proposed a HSIS scheme in which the generated shares are partitioned into several levels, and the threshold access structure is determined by a sequence of threshold requirements [19]. However, Guo et al.'s scheme may arise a risk that the secret image would be partially reconstructed when some non-authorized shareholders attempt to attack the secret image. To overcome this drawback, Pakniat et al. proposed an improved HSIS scheme [20], which improves the level of security by utilizing the cellular automata and hash function. In 2018, Bhattacharjee et al. proposed a HSIS scheme which can generate fixable shares by utilizing the compressed sensing [21]. Besides, considered that some sharesholds may not just be involved in a secret sharing scheme and assigned multiple shares, Jia et al. proposed collaborative secret sharing scheme in which each shareholder just keep only one share can participate in multiple secret sharing schemes [22].
Actually, even if the secret image has been processed in the above manner, the protection against the secret image leakage may not be achieved. Suppose that a provider of the cloud storage is dishonest. Then, it is possible for it to obtain the secret image by collecting enough shares. Thus, it is necessary that the generated shares can be distributed storage in multiple clouds. Therefore, a novel hierarchical secret image sharing scheme with multi-group joint management is proposed in this paper. The proposed scheme is more suitable for protecting the security of the secret image by distributed storage over multiple clouds, which can resist shares leakage from one cloud. In the proposed scheme, by combining the threshold secret image sharing scheme and the derivation operation, the secret image would be shared among multiple groups with different thresholds. The proposed scheme is a hierarchical secret image sharing scheme in which the secret image can be reconstructed if and only if the number of shares has met each threshold. The highlights of this paper are as follows 1. The secret image can be jointly managed by multiple groups. 2. The proposed scheme has a hierarchical threshold access structure . 3. Shares have a same size and same weight.
The outline of this paper is organized as follows. Section 2 presents some basic descriptions of preliminaries. Section 3 presents the proposed scheme in detail. The security analysis of the proposed scheme is presented in Section 4. The simulations and comparison are presented in Section 5, and the conclusion of this paper is presented in Section 6.

Preliminaries
In this section, there are some preliminaries reviewed including Shamir's secret sharing scheme [7] and Guo's hierarchical threshold secret image sharing scheme [19].

Review of Secret Sharing
Shamir's secret sharing scheme is a (t, n) threshold scheme, which is based on the polynomial interpolation. All operations are performed over the finite field F p , p is a secure big prime. In Shamir's scheme, the dealer encrypts a secret data s into n shares s i , i = 1, 2, . . . , n, and sends these them to n shareholders U i , respectively. The access structure refers to the qualified subset holding at least t shares which can recover the secret. Shamir's (t, n) secret sharing scheme includes two procedures: shares generation procedure and secret reconstruction procedure, which is introduced as follows.

Shares Generation Procedure
Step 1. Given a secret data s,the dealer chooses t − 1 random number r 1 , r 2 , . . . , r t−1 and a prime number p,where s ∈ F p and r 1 , r 2 , . . . , r t−1 ∈ F p .
Step 3. The outputs y i = f (x i ) are regarded as shares S i and assigned to the shareholders U i in a secure channel.

Secret Reconstruction Procedure
Step 1. Given a subset of t disparate shares S i , i ∈ A, A = {1, 2, . . . , t}, the t − 1 degree polynomial can be reconstructed by Lagrange interpolation as formula (1): Step 2. The secret data s can be reconstructed by calculating s = f (0).

Birkhoff Interpolation
Birkhoff Interpolation Problem. The Birkhoff interpolation problem that corresponds to the triplet X, E, C is a problem of finding a polynomial P(x) ∈ R N−1 [x] that satisfies the N equalities where P (j) (x) is the j-th derivative of P(x) and R N−1 [x] is the set of all possible polynomials with degree at most N − 1.

Theorem 1.
Let the Birkhoff interpolation problem that corresponds to the triple X, E, C be well posed.
Then the entries of E satisfy the relation (3) ∀t, where l is the highest derivative order in the data and k is the number of interpolating points [23].
Theorem 2. The interpolation problem (Definition 1) has a unique solution if the interpolation matrix E satisfies Theorem 1, and contains no supported l-sequences of odd length.
Theorem 3. The Birkhoff interpolation problem has a unique solution over the finite field GF(q) if the conditions of the Theorem 2 and the following condition hold simultaneously: where l is the highest derivative order in the data.

Review of Guo's Hierarchical Threshold Secret Image Sharing
In Guo's (t, n) hierarchical threshold secret image sharing [19], the shares generated by the secret image are shared among a set of n shareholders with several levels. The number of each level's sharesholders is determined by a sequence of thresholds. The secret image can be reconstructed if and only if the collected shares meet the following two conditions. First, the sum of collected shares is no less than t. Second, the number of the collected shares meets each level's threshold requirement. Guo's (t, n) hierarchical threshold secret image sharing scheme includes two procedures: shares generation procedure and secret image reconstruction procedure.

Shares Generation Procedure
Step 1. Given a secret image I, a cover image O sized M × N,and a set of n shareholders U = {U 1 , U 2 , . . . , U n }. The n shareholders are classified into (m + 1) levels L 0 , L 1 , . . . , L m with the corresponding threshold requirement {t 0 , Step 2. Every t m non-lapped pixels {s 0 , s 1 , . . . , s t m −1 } in the secret image I are grouped as a section. For each section, a (t − 1) degree function can be constructed as Step 3. The shadow images in the hierarchy L r can be generated by computing f (t r −1) (x).
Step 5. Each shadow image SH i can be transformed a σ-bit stream as SH i = (y i,1 , y i,2 , . . . , y i,w ) σ , where w = long σ SH i . The w pixels o i,j ,j ∈ [1, w] in stego images O i can be generated by replacing w pixels o i,j as: Step 6. The generated n stego images O i are regarded as the n shares S i , i ∈ 1, 2, . . . , t and sent to shareholders, respectively.

Secret Image Reconstruction Procedure
Step 1. Given a subset of t disparate shares, the t disparate shadow images SH i , can be extracted from shares S i , i ∈ 1, 2, . . . , t, according the formula (7) SH i = y i,1 y i,2 · · · y i,w .
Step 2. The secret image I can be reconstructed by employing Birkhoff interpolation with t disparate shadow images.

The Proposed Scheme
This section presents a novel hierarchical secret image sharing (HSIS) scheme with multi-group joint management in detail. The secret image in the proposed scheme is shared among multiple groups. Each group is independent and includes several shareholders. To protect the secret image, any group cannot reconstruct the secret image without other group's cooperation.
The definition of multiple groups, the threshold requirement of each group and the conditions of the number of collected shareholders in the secret image reconstruction procedure are presented as follows.
Definition 2. Given a secret image I, supposing that the secret image I is shared with two groups G 1 and G 2 . Suppose that G 1 consists of n 1 shareholders and G 2 consists of n 2 shareholders, which are denoted as , n = n 1 + n 2 . Besides, each group has a corresponding threshold requirement. Supposing the threshold requirement of G 1 is t 1 and the threshold requirement of G 2 is t 2 , where t = t 1 + t 2 . Supposing that |A| denotes the cardinality of any set A. To reconstruct the secret image, the number of collected shareholders must satisfy following conditions: (1) |G 1 | ≥ t 1 ; (2)|G 2 | ≥ t 2 ; (3) |G 1 | + |G 2 | ≥ t. The proposed scheme includes two procedures: shares generation procedure and secret image reconstruction procedure.

Shares Generation Procedure
Step 1. Employ a reversible permutation operation on the secret image I to acquire a permuted secret imageÎ. It is necessary to reduce the association between adjacent pixels.
Step 2. Every t non-lapped pixels a 0 , a 1 , . . . , a t−1 are separated as a unit, and each unit can be used to construct a t − 1 degree function f (x) as follows: Step 3. Repeat the step 2 until all pixels have been processed, and the intermediate shadows T 1 i for G 1 can be generated by computing T 1 i = f (i). Step 4. Calculate t 1 -th derivative of f (x) in the step 2, the derivation is shown as: The results of S 2 j = g(j) are the pixel values in shares and the generated shares would be sent to the shareholders in G 2 .
Step 6. The shares S 1 i sent to G 1 can be generated by S 1 i = (T 1 i + R)mod(2 8 ).

Shares Generation Procedure
Step 1. Given a subset of t disparate shares includes t 1 shares from G 1 and t 2 shares from G 2 . Using t 2 shares from G 2 , the coefficients of g(x) can be reconstructed by Birkhoff interpolation and the mask shadow R can be obtained by R = b 0 × b 1 × · · · × b t 2 −1 mod(2 8 ).
Step 2. When G 2 has been calculated to generate the mask shadow R, the mask shadow R will be sent to G 1 , and the t 1 intermediate shadows T = (S 1 − R)mod(2 8 ) in G 1 can be reconstructed.
Step 3. By utilizing t 1 shares from G 1 and t 2 shares from G 2 , the permuted secret imageÎ can be reconstructed by employing Birkhoff interpolation.
Step 4. The secret image I can be reconstructed by employing the corresponding inverse-permutation on the permuted secret imageÎ.

Security Analysis
The security of the proposed scheme is mainly focuses on the security of the secret image. We will analyse the security of the secret image when the number of collected shareholders whether or not satisfy the threshold conditions: (1) |G 1 | ≥ t 1 ; (2) |G 2 | ≥ t 2 ; (3) |G 1 | + |G 2 | ≥ t. The entire analysis process consists of the following three scenarios: Case 1. When |G 1 | < t 1 , |G 2 | ≥ t 2 , |G 1 | + |G 2 | ≥ t, the secret image cannot be reconstructed.
Proof. Supposing |G 1 | = l 1 < t 1 ,|G 2 | = l 2 ≥ t 2 and |G 1 | + |G 2 | = l 1 + l 2 ≥ t. In the secret image reconstruction procedure, first l 2 (l 2 ≥ t 2 ) collected shareholders in G 2 can reconstruct the function g(x) = f (t 1 ) (x) = b 0 + b 1 x + · · · + b t 2 −1 x t 2 −1 mod(2 8 ) based on the Birkhoff interpolation. As the coefficients b 0 , b 1 , . . . , b t 2 −1 can deduce t 2 coefficients a t 1 , a t 1 +1 , . . . , a t−1 in f (x), and the number of coefficients in f (x) is t = t 1 + t 2 , there still t 1 coefficients in f (x) are unknown. Meanwhile, the mask shadow R can be acquired as R = b 0 × b 1 × · · · × b t 2 −1 mod(2 8 ), and then G 2 will send the mask shadow to the involved l 1 shareholders in G 1 . For |G 1 | = l 1 < t 1 less than t 1 intermediate shadows can be reconstructed, the function f (x) cannot be reconstructed correctly. Therefore, even |G 2 | meet the threshold condition, the secret image cannot be reconstructed.
Proof. Supposing |G 1 | = l 1 ≥ t 1 , |G 2 | = l 2 < t 2 and |G 1 | + |G 2 | = l 1 + l 2 ≥ t. Since there are only l 2 shareholders in G 2 participating in reconstructing the secret image, the function g(x) cannot be reconstructed. Therefore, the mask shadow R also cannot be obtained. Therefore, even there are l 1 shareholders in G 1 participating the secret image reconstruction procedure, the secret image still cannot be reconstructed. Therefore, only |G 1 | meets the threshold condition, the secret image cannot be reconstructed. Case 3. When |G 1 | ≥ t 1 , |G 2 | ≥ t 2 , |G 1 | + |G 2 | ≥ t,the secret image can be reconstructed.
Proof. Supposing |G 1 | = l 1 ≥ t 1 , |G 2 | = l 2 ≥ t 2 and |G 1 | + |G 2 | = l 1 + l 2 ≥ t. In the secret image reconstruction procedure, l 2 (l 2 ≥ t 2 ) collected shareholders in G 2 can reconstruct the function g(x) = f (t 1 ) (x) = b 0 + b 1 x + · · · + b t 2 −1 x t 2 −1 mod(2 8 ) based on the Birkhoff interpolation. Since t 2 coefficients b 0 , b 1 , . . . b t 2 −1 can deduce t 2 coefficients a t 1 , a t 1 +1 , . . . a t−1 in f (x),and the number of coefficients in f (x) is t = t 1 + t 2 ,there still t 1 coefficients in f (x) are unknown. Meanwhile, the mask shadow R can be acquired as R = b 0 × b 1 × · · · × b t 2 −1 mod(2 8 ), and then the mask shadow would be sent to the involved l 1 shareholders in G 1 , and G 1 can reconstruct l 1 intermediate shadows. All l 1 intermediate shadows and g(x) can be used to reconstruct f (x), thus, permuted secret image can be recovered. The secret image can be reconstructed after performing the reversible permutation operation on permuted secret image. Therefore, only when both G 1 and G 2 meet the threshold condition, the secret image can be reconstructed.

Simulation and Comparison
Supposing there are two independent groups G 1 and G 2 , where G 1 consists of three shareholders and G 2 consists of four shareholders. Denoting 1,4], n = 7. Besides, each group has its corresponding threshold requirement. Suppose the threshold of G 1 is t 1 = 2 and the threshold of G 2 is t 2 = 2, where t = t 1 + t 2 = 4, the simulation results are shown in Figure 1. Figure 1. (a) the test secret image "Lena", (b) the permuted secret image, (c) the generated shares sent to G 1 , (d) the generated shares sent to G 2 . Figure 1a shows the test secret image I named "Lena" with 512 × 512 pixels and Figure 1b shows the permuted secret imageÎ. The generated shares according to the proposed scheme are shown in Figure 1c,d, where Figure 1c presents three shares sent to G 1 and Figure 1d presents four shares sent to G 2 . As we can see, each shares has the same size with 256 × 256 pixels.

The Security
There are some simulation results to prove the security of the secret image in the proposed scheme. According to the security analysis in Section 4, we conduct three experiments as examples to demonstrate the proposed scheme, and the simulation results are presented in Figure 2.

Example 1.
Assume that the collected shares in the secret image reconstruction procedure satisfy |G 1 | < 2, Considering that there are four shares including one share from G 1 and three shares from G 2 . The simulation result is shown in Figure 2a. As we can see, when the collected shares cannot reach the threshold condition in G 1 , the reconstructed image is a random-looking image which can prove the security of the secret image in Case 1.

Example 2.
Assume that the collected shares in the secret image reconstruction procedure satisfy |G 1 | ≥ 2, |G 2 | < 2, |G 1 | + |G 2 | ≥ 4 Considering that there are four shares including three shares from G 1 and one shares from G 2 . The simulation result is shown in Figure 2b. As we can see, when the collected shares against the threshold condition in G 2 , the reconstructed image is a random-looking image which can prove the security of the secret image in Case 2.
Example 3. Assume that the collected shares in the secret image reconstruction procedure satisfy |G 1 | ≥ 2, Considering that there are four shares including two share from G 1 and two shares from G 2 . The simulation result is shown in Figure 2c. For the collected shares satisfied both the threshold condition in G 1 and the threshold condition in G 2 , the original secret image can be reconstructed.

Histogram Analysis
The purpose of analysing an image's histogram is to measure the intensity level of this image. Usually, the pixel values in a random gray image are uniformly distributed in the range [0, 255], and it is better when the generated shares have the feature of a random image.
We analyse the histograms of the test secret image and the generated shares in each group to prove that the security of the proposed scheme, and the results are presented in Figure 3. Figure 3a shows the histogram of the test secret image "Lena". The histogram of shares in G 1 and G 2 are shown in Figure 3b,c, respectively. As we can see from Figure 3, the pixel values in generated shares are almost uniformly distributed, so that the visible pattern cannot acquire meaningful information about the secret image.

Correlation of Adjacent Pixels Analysis
If there is a strong correlation with the adjacent pixels in the shares, which would attract the attention of the attacker and would reveal some meaningful information of the secret image. Therefore, it shows a better security when the correlation between adjacent pixels is as little as possible in the generated shares. Mathematically, the correlation P xy is represented by the formula (10).
where C(x), C(y) and D(x), D(y) are noted as the mean value and the standard variance of a sequence x and a sequence y, respectively, which are represented by the Formula (11) and Formula (12). And x, y represented as data sequences of two adjacent pixels in an image. When there is a strong correlation with the adjacent pixels, the value of P xy approaches 1, otherwise, the value of P xy approaches 0. Table 1 shows the horizontal, vertical, and diagonal correlation coefficients in the secret test image "Lena" and two generated shares from G 1 and G 2 , respectively. It can be seen that the all correlation coefficients of the shares S 1 1 and S 2 1 are close to zero, which illustrate that the generated shares seems as random images. Besides, the correlation coefficients also can be evaluated from the plots. Usually, the stronger correlation between the adjacent pixels, the closer the points accumulating along the line y = x. The plots of the intensity values in horizontally adjacent pixels from "Lena", and the shares S 1 1 , S 2 1 are shown in Figure 4a-c, respectively.

Resisting Noise Analysis
The shares would be polluted with some noise during being transmitted to shareholders, which would impact the quality of the reconstructed image. It is better the secret image can be reconstructed when shares are exposed to noise pollution in different degree. We add some different percentages Gaussian noise into each share and the results are presented in Figure 5. Figure 5a shows the share with the share with 1% Gaussian noise and the decrypted image. Figure 5b shows the share with the share with 5% Gaussian noise and the decrypted image. Figure 5c shows the share with the share with 10% Gaussian noise and the decrypted image. Figure 5d shows the share with the share with 15% Gaussian noise and the decrypted image. The value of peak-signal-to-noise-ratio (PSNR) is used to evaluate the visual quality of the decrypted image. Mathematically, PSNR is represented by the Formula (13).
where MSE is the mean square error and represented as the Formula (14) and M × N is the size of the original image, O xy and R xy are pixel values in the original image and decrypted image, respectively.  Table 2 presents the comparison between some related hierarchical secret image sharing schemes and the proposed scheme. First, there is a comparison of the level of security. As shown in the first row in Table 2, the proposed scheme is better than Guo et al.'s scheme in the aspect of the security. Actually in Guo et al. scheme [19], the embedded secret pixel values into all coefficients of a polynomial may be leading some non-authorized shareholders to partially restore the secret image, so that there is a low level of security in Guo et al.'s scheme. While in the proposed scheme, the secret image is permuted as a chaotic secret image, which improves the level of security of the secret image.

Comparison
Second, there is a comparison of the characteristic of the generated shares. As shown in the second row in Table 2, the generated shares in Guo et al.'s scheme [19] and Pakniat et al.'s scheme [20] have different importance. While the generated shares in the proposed scheme have the same importance, which is more suitable for jointly managing the secret image by multiple groups.
Third, there is a comparison of the characteristic of shareholders. As shown in the third row in Table 2, the participated shareholders are from a common group in the schemes [19][20][21], so that the secret image is managed by one group. Actually, in the real world, the secret image needs to be managed by multiple groups jointly. Therefore, the scheme which the shareholders are from multiple groups is more suitable for a hierarchical secret image sharing scheme with multi-group joint management.

Conclusions
In this paper, a novel hierarchical secret image sharing scheme with multi-group joint management is proposed, which is suitable for protecting the security of the secret image by distributed storage over multiple clouds. In the proposed scheme, the secret image is managed by multiple groups rather than one group. By combining secret image sharing and Birkhoff interpolation algorithm, the secret image would be shared among multiple groups with different thresholds. Besides, the generated shares have the same weight, which is more suitable for the applicability. In addition, the proposed scheme would be applied in other related fields, such as image encryption in the Internet of things, multi-secret sharing in ad hoc networks, and so on.