An Authenticatable (2, 3) Secret Sharing Scheme Using Meaningful Share Images Based on Hybrid Fractal Matrix

Secret image sharing (SIS) scheme is an important technology to protect secret information. It distributes the secret data into multiple shares so that the participants can obtain the embedded secret by sharing their authenticated shares. Through a simple process of these shares, the secret data can be extracted. In this paper, we propose a (2, 3) SIS scheme based on a fractal matrix. Through guidance of the proposed fractal matrix, the secret data can be distributed into three shares which are indistinguishable from their corresponding cover images. Any two of the three distinct shares can cooperate to extract the exact secret data. Moreover, we devise two authentication mechanisms to prevent from tampering. Experimental results show that our proposed scheme can provide efficient payloads with shares of good visual quality. The authentications are also effective and easy to implement.


I. INTRODUCTION
Nowadays, with the rapid development of the Internet, people can continuously enjoy the fruits of the latest technological revolution. More and more information is transmitted through the Internet. However, network viruses, Trojan horses, and illegal organizations that steal information all pose serious threats to information security. Thus, the security of information transmission has become particularly important, especially in the political, military, and commercial fields. Although traditional encryption can ensure information security to a certain extent, this type of technology does not conceal the content of the information. On one hand, the secret keys generated in order to hide information are often unordered symbols, which will arouse the interest of the tracker, thereby increasing the risk of exposure. This has become the biggest weakness of traditional encryption algorithms. On the other hand, with the rising sharply use of digital media, protecting intellectual property rights in digital media, preventing illegal copying and dissemination of intellectual property products, and ensuring information security have also become more and more urgent. In order to The associate editor coordinating the review of this manuscript and approving it for publication was Mohamed Elhoseny . solve the above-mentioned series of problems, information hiding [1] technology was born.
Information hiding is mainly divided into two categories: reversible information hiding [2], [3] and irreversible information hiding [4], [5]. In reversible information hiding, the recipient can restore the original carrier losslessly after extracting the secret data embedded by the sender, while after irreversible information hiding, one cannot restore the original carrier. Based on these two categories of information hiding methods, it can be subdivided into the following four types: information hiding based on spatial domain [6]- [12], information hiding based on frequency domain [13]- [15], information hiding based on encryption domain [16]- [19], and information hiding based on compressed domain [20], [21].
Traditional information hiding schemes have an obvious common disadvantage: only a single carrier is used to embed information. Once the carrier is targeted by an attacker, the possibility of the information being attacked increases greatly. To solve this shortcoming, Shamir [22] and Blakley [23] proposed a (k, n)-threshold secret sharing scheme in 1979. Their scheme pioneered the concept of secret sharing. It distributes the secret data into n parts and deals them to n participants. When extracting the secret data, only k (k<n) participants working together can obtain the complete secret data. In 1994, Naor and Shamir [24] applied the concept of secret sharing to images and proposed the visual secret sharing (VSS) scheme. But their scheme produces binary shares and these shares look meaningless. A meaningless share is easily noticed by an attacker during transmission. Covering the secret data with a regular image can effectively reduce the risk of being suspected. To solve these disadvantages of the original VSS scheme, many improved VSS methods [25]- [28] have been proposed.
In 2006, Chang et al. [29] proposed a reversible secret image sharing (SIS) scheme using the exploiting modification direction (EMD) reference matrix. After embedding, two steganographic images with high visual quality are generated. The main difference between VSS and SIS is the visual perceptibility. Traditional VSS (including visual cryptography [25], extended visual cryptography [26], and color extended visual cryptography [27], [28]) reconstruct images by mixing gray levels or colors through stacking. The SIS scheme proposed in [29] extracts the secret data by computation. In this modern age of consumer electronics, portable devices are popular. Therefore, thin client computing is now more feasible than stacking transparencies. The SIS scheme became a new hot issue.
In 2010, Chang et al. [30] proposed a reversible SIS scheme based on the Sudoku matrix and Lagrange polynomial. In 2018 and 2019, reversible and authenticatable SIS schemes were proposed based on the turtle shell matrix [31], [32]. In 2020, Gao et al. [33] designed a new reference matrix called the stick insect matrix to further improve the SIS schemes. These reversible SIS schemes use only a single cover image to generate multiple shares, where each share has a very slight and invisible difference.
Although the shares generated from a single cover image look the same, they are vulnerable to steganalysis. By analyzing the differences between shares, camouflage can easily be detected. In 2019 and 2020, SIS schemes using different cover images were proposed [34], [35]. However, these schemes are irreversible: the cover images cannot be reconstructed after extraction of the secret data.
With irreversibility comes the problem that when one of the shares is tampered with, the secret data cannot be recovered at all, even though the share is authenticatable. In order to reduce the risk of tampering attacks, Gao et al. [36] proposed a (2, 3) reversible SIS scheme based on the fractal matrix. Through ingenious design of the fractal matrix, any two out of the three shares can cooperate to retrieve the secret data. However, this scheme uses a single cover image to generate two shares and suffers from the steganalysis risk mentioned above.
In this paper, we propose a (2, 3) SIS scheme which is based on the new fractal reference matrix and which uses three distinct share images. In our SIS scheme, three shares that are indistinguishable from their corresponding cover images are generated and any two shares can cooperate to retrieve the secret data. Our scheme also provides two effective authentication mechanisms and a large payload. The experimental results show that the embedding capacity of our scheme is larger than those of related works, and that the visual quality of the shares is satisfactory.
The rest of this paper are as follows. Section 2 briefly introduces the new proposed fractal matrix. The share generation, authentication, and data extraction processes are proposed in Section 3. Section 4 presents the experimental results and discussions. Finally, conclusions and prospects are presented in Section 5.

II. THE PROPOSED FRACTAL MATRIX
In this section, we briefly introduce the fractal matrix proposed by Gao et al. in [36]. Then, a modified fractal matrix based on the same concept is proposed to fit our new problem formulation.

A. BRIEF INTRODUCTION OF THE FRACTAL MATRIX
The fractal matrix was first proposed by Gao et al. [36]. It is a special type of reference matrix which is applied to guide the production of shares in their secret sharing scheme. A fractal matrix is constituted by a lot of fundamental three-dimensional structures called fractal models. Two types of fractal models sized 2 × 2 × 2 and 3 × 3 × 3 are shown in Figs. 1(a) and 1(b), respectively. In each model, the colored boxes represent the fractal elements in the model. There are four and nine elements in Figs. 1(a) and 1(b), respectively. Following the spatial self-similarity property of fractals, a fractal group can be constructed using fractal models as basic elements. As shown in Fig. 2, the fractal matrix proposed in [36] contains a long series of concatenated fractal groups on its main diagonal.
The elements in a fractal model are so ingeniously arranged that the projections of all elements in a fractal group onto each axial plane constitute a perfect square matrix. In other words, each element in the fractal group is unique and indispensable. This property was exploited to design the (2, 3) SIS scheme in [36]. To achieve a similar purpose, the fractal matrix proposed in this paper is a modified version of the above matrix and will be described in the next subsection.

B. THE NEWLY PROPOSED FRACTAL MATRIX
As discussed in the previous subsection, two fractal models, see Fig. 1, are applicable to construct a fractal group. Two factors to be considered are the embedding capacity and VOLUME 9, 2021  the image distortion. A large sized fractal group has a high embedding capacity but the distortion of the shares is also large.
In this paper, we adopt a fractal group of hybrid type, where fractal models of F I sized 3 × 3 × 3 are nested within a fractal model of F O sized 2 × 2 × 2 to constitute a fractal group sized 6 × 6 × 6. As shown in Fig. 3, a fractal group is illustrated in the three-dimensional coordinate system. Assuming we have a three-dimensional matrix M (x, y, z) , where 0 ≤ x, y, z < 6, Eqs. (1)(2)(3)(4) can be applied to check whether M (x, y, z) is an element in the fractal group. The cubic space sized 6 × 6 × 6 is divided into eight blocks of x I = x mod 3; y I = y mod 3; After determining the configuration of the fractal group, we apply a secret key to initialize the random number generator and start the numbering process. First, we assign a random permutation of 0 to 7 into all elements of each fractal model F I except for the central element, which is reserved for authentication purpose. Next, we assign a random permutation of 0 to 3 to each F O inside the fractal group. For instance,

III. THE PROPOSED (2, 3) SECRET IMAGE SHARING SCHEME
In this section, we first take an overview on the proposed scheme. Then, the production process of shares, authentication mechanisms, and data extraction process are introduced sequentially.

A. OVERVIEW
The schematic diagram of the proposed (2, 3)-SIS scheme is illustrated in Fig. 5. The data hider uses three distinct cover images to embed secret image or data and generates three shares, which are visually indistinguishable from their corresponding cover images. The three shares are then distributed to three participants. To recover the secret data, any two of the participants who combine their shares can completely decrypt the secret. We provide an authentication mechanism to detect tampered shares and prevent from cheating events, to be used before the decryption. When all three shares can be obtained, an even stricter authentication mechanism is available.

B. PRODUCTION OF THE SHARES
Assume that the secret data to be shared is converted into a long stream of binary segments denoted by 50114 VOLUME 9, 2021 In this share generation phase, firstly, the threedimensional fractal matrix M is constructed. Then, the pixels in cover images are processed in the prearranged order. Each time, we apply a pixel triplet (p 1i , p 2i , p 3i ) as the coordinates and map to the elements in the fractal matrix M (p 1i , p 2i , p 3i ). Locate its mother fractal group F G and the precisely mapped fractal element by Eqs. (5)(6)(7)(8).
For the special cases of Q = p/6 = 42, i.e., 252 ≤ p ≤ 255, the mapped matrix element does not belong to any fractal group. To embed data with a minimal distortion, we round it to the nearest index of Q = 41. The share production algorithm is summarized as follows.

C. AUTHENTICATION OF THE SHARES
As discussed in Section 3.1, any two of the participants can recover the secret data by sharing their shares. In order to prevent cheating, two authentication mechanisms are provided.

1) AUTHENTICATION WITH TWO SHARES
Referring to Section 2.2, the central element of each fractal model and the residual space resulted from fractal group stacking are left unnumbered. Projection of the fractal matrix on the xy-plane is illustrated in Fig. 7. Since the fractal groups are duplications of a fundamental fractal group, the overlapped fractal elements at a particular position corresponds to a same element in the fundamental group. Thus a unique secret binary segment can be determined. The positions marked by 'x' are vacated in the fractal matrix. Therefore, a proper secret embedded share triplet must project to a color position. A share pixel pair (p 1i , p 2i ) which maps to an 'x'-marked position indicates the existence of a tampered

1:
Construct the fractal matrix (see Section 2.2) using secret key K .

3:
Retrieve a data segment s k .

11: End 12:
Output sharesÎ 1 ,Î 2 , andÎ 3 . _______________________________________________ pixel. This principle is valid for projections on all axial planes. An authentication mechanism is devised according to this principle and given as follows.

2) AUTHENTICATION WITH THREE SHARES
When we can obtain all the three shares, more information can be applied to detect a tampered share. A secret embedded share pixel triplet must be the coordinates of a fractal element. Otherwise, a tampering event is detected. Under such circumstances, we can authenticate the three shares pairwise. When a pair has passed the authentication, the remaining one is a Print N F .

17:
If N F = 0, Print ''authentication passed.'' End _______________________________________________ tampered share. When there are no pairs of shares that can pass the authentication, it indicates that at least two shares are tampered with and that the secret is lost. The details of the algorithm are given as follows.

D. EXTRACTION OF SECRET DATA
Any two shares that have been passed the authentication can cooperate to extract secret data. Each corresponding pixel

1:
Construct the fractal matrix (see Section 2.2) using secret key K .

2:
Project For each pixel pair (p ai ,p bi ),

6:
Record s k to S. 7: End 8: Output S. _______________________________________________ pair retrieved from the two shares can be applied to extract a secret segment. The extraction algorithm is provided as follows.

IV. EXPERIMENTAL RESULTS
In this experimental section, we will evaluate the performance of our SIS scheme. The 12 standard gray images of size 512 × 512 used in our experiment are shown in Fig. 8. All programs are implemented with MATLAB R2018a.

A. VISUAL QUALITY
In order to evaluate the visual quality of the shares generated by our SIS scheme, we use two evaluation indicators, PSNR (Peak Signal-to-Noise Ratio) and SSIM (Structural Similarity). The formula for PSNR is as follows: where H and W represent the height and width of the two images, and p i and p j represent the corresponding pixels in the two images. In general, if the PSNR value of the share and the cover image exceeds 30dB, it is difficult for human eyes to distinguish the difference between two images. The formula for SSIM is as follows: where P and P represent the cover image and the share, respectively; µ P and µ P represent the average of P and P , respectively; σ 2 P is the variance of P, σ 2 P is the variance of P and σ PP is the covariance of P and P ; and c 1 and c 2 are constants used to maintain stability of the formula. c 1 and c 2 can be obtained by Eqs. (14) and (15), respectively, where L is the dynamic range of pixel values, k 1 = 0.01, k 2 = 0.03.
Since the three shares generated by our SIS scheme are only minor modifications to the pixels of the three cover images, the image quality of the shares should be excellent in theory. To confirm this, Fig. 9 shows the first experimental results. The secret image ''Airplane'' with a size of 256×256 (see Fig. 9(a)) is embedded into three cover images ''Coach'', ''Lena'' and ''Barbara'' with the size of 512 × 512 (see Fig. 9(b)-(d)). After full embedding, the three high-quality shares are generated with PSNR values of 44.36 dB, 44.39 dB and 44.39 dB, respectively (see Figs. 9(e)-(g)). As shown in Fig. 9(h), the secret image can be recovered losslessly as long as there are no tampered shares.
The visual quality of the shares generated by our SIS scheme are listed in Table 1, where random bit streams are used as the secret data. In this case, the PSNR value is maintained at about 40.4 dB. The embedding capacity is increased to 5 bits per cover pixel pair with only a slight reduction in the quality of the shares. Table 2 compares the features of our scheme with other SIS schemes. SIS schemes based on modern lightweight computing focus on generating meaningful shares with good visual quality and large embedding capability. As shown in the table, the features of reversibility and different cover images are mutually contradictive. To recover distinct cover images requires three times the information of a single cover image. It is not worth doing, since the cover images are just used for covering the secret transmission. In addition, the attacker can analyze information from the difference of secret shares generated with a single cover image. Therefore, the single cover imagebased schemes are more vulnerable under steganalysis. Our proposed scheme provides three most striking features are the complete difference of the cover images, the extremely high embedding capacity and the (2, 3) secret sharing.   An advantage of our scheme is that, if one of the shares is invalid, we can use the other two shares to completely recover the secret data, but in the traditional SIS scheme, the secret data cannot be recovered at all. Therefore our scheme provides fault tolerance that the traditional SIS schemes do not have.

B. AUTHENTICATION ABILITY
In order to test the authentication ability of the two authentication mechanisms proposed in our scheme, we assume that three shares 1, 2 and 3 are distributed to participants 1, 2 and 3, respectively. Suppose the share of participant 1 is fake, and the shares of participant 2 and 3 are real. When participants 1 and 2 want to cooperate to retrieve the secret data, participant 2 can verify whether participant 1 is dishonest. Here, we use the DR (detection rate) to measure the authentication ability of the two authentication mechanisms. The formula of DR is defined as: where N d represents the number of illegal pixels detected by the authentication mechanism, and N t represents the total number of illegal pixels. Next, we use two examples to illustrate the two authentication mechanisms which are proposed in our scheme. Referring to Fig. 10, a hostile image ''Airplane'' (see Fig. 10(a)) is inserted into share 1 in ''Coach'' (see Fig. 10(b)). The result VOLUME 9, 2021 of using real share 2 ''Lena'' (see Fig. 10(c)) to verify the share 1, the result is shown in Fig. 10(d). The black pixels represent the ones where tampering has been detected.
The second example is shown in Fig. 11, where the hostile image and the tampered share are shown in Figs. 11 (a) and (b), respectively. With the help of two real shares (see Figs. 11(c) and (d)), the detection result is shown in Fig. 11(e). From the results, we can see that our scheme has a good ability to detect tampering.
When we can obtain all three shares, more information can be applied to detect a tampered share. A secret embedded share pixel triplet must be the coordinates of a fractal    element. Otherwise, a tampering event is detected. Under such circumstances, we can authenticate the three shares pairwise. As shown in Fig. 12, when a pair has passed the authentication, the remaining one is a tampered share. When there are no pairs of shares that can pass the authentication, it indicates that at least two shares are tampered with and that the secret is lost.
To investigate the authentication ability of the proposed mechanisms, the DR values for different experimental image sets (see Fig. 13) are listed in Table 3. Since there is a trade-off between embedding capacity and authentication ability for reference matrix-based schemes, the detection rate for authentication with two shares is relatively low. However, the authentication is processed pixel-wise. A small tampering patch consists of hundreds or even thousands of pixels. It is almost impossible to pass the authentication. When all three shares can be obtained, the detection rate can be greatly improved. In fact, the third pixel value of a triplet can be uniquely determined within the whole space of a particular fractal group. VOLUME 9, 2021 C. SECURITY ANALYSIS In order to analyze the security of the proposed scheme, pixel-value differencing steganalysis [37] is applied. The histograms of pixel-value difference are shown in Figs. 14, where the test cover images are 'Baboon', 'Lena', and 'Zelda'. The histograms of the fully embedded stego-images are very close to the histograms of the cover images, which indicates that the proposed scheme is secure under the steganalysis of pixel-value differencing.

V. CONCLUSION
In this paper, a novel (2, 3) SIS scheme based on three distinct cover images and the fractal matrix has been proposed. Our scheme has good security and authentication ability. The scheme has the following features: (1) the three shares are generated based on the three distinct cover images, (2) the shares generated by our scheme have high visual quality, (3) it provides two effective authentication mechanisms, and (4) any two of the three shares can cooperate to extract the secret data losslessly. Experimental results show that the proposed (2, 3) SIS scheme can achieve good embedding capacity with a satisfactory visual quality of the shares.
Our future work will try to generalize the (2, 3) SIS scheme into a (k, n) SIS scheme of arbitrary selected parameter set, where k < n. The principle is to choose a set of elements within a properly sized n-dimensional matrix in a way that their projections into any k-dimensional subspace are not overlapped. This set of elements can be applied as a group for embedding, which guarantees extractable using arbitrarily selected k shares.
[36] K. Gao CHIN-CHEN CHANG (Fellow, IEEE) received the B.S. degree in applied mathematics and the M.S. degree in computer and decision sciences from National Tsing Hua University, and the Ph.D. degree in computer engineering from National Chiao Tung University. From 1989 to 2005, he was with the National Chung Cheng University. He is currently the Chair Professor of the Department of Information Engineering and Computer Science, Feng Chia University. Prior to joining Feng Chia University, he was an Associate Professor with National Chiao Tung University, a Professor with National Chung Hsing University, and the Chair Professor with National Chung Cheng University. He has been a Visiting Researcher with The University of Tokyo, Japan, and a Visiting Scientist with Kyoto University, Japan. During his service in National Chung Cheng University, he served as the Chairman for the Institute of Computer Science and Information Engineering, the Dean for the College of Engineering, a Provost, the Acting President for National Chung Cheng University, and the Director for Advisory Office in Ministry of Education, Taiwan. His current research interests include database design, computer cryptography, image compression, and data structures. He has won many research awards and has honorary positions in prestigious organizations both nationally and internationally. Since his early years of career development, he has consecutively won awards, including the Outstanding Talent  On numerous occasions, he has been invited to serve as a visiting professor, the chair professor, the honorary professor, the honorary director, the honorary chairman, the distinguished alumnus, the distinguished researcher, and a research fellow by various universities and research institutes. VOLUME 9, 2021