Advanced fault-tolerant visual multi-secret sharing scheme

Aim: In visual cryptography, a secret image is encrypted into two meaningless random images called shares. These two shares can be stacked to recover the secret image without any calculations. However, because of the alignment problem in the decryption phase, risk of poor quality of the restored image exists. Encrypting multiple secrets on two images simultaneously can improve execution efficiency. Methods: Let 7 × 7 pixels be a unit; this paper designs a codebook for any unit in the secret images by using a random grid. Besides, this paper shows a general shifting approach that can embed 𝑁 (≥ 2 ) secret images simultaneously with adjustable distortion. Results: This paper provides a visual multi-secret sharing scheme without pixel expansion; the proposed scheme can encrypt more than two secret images into two shares simultaneously. During decoding, aligning the shares precisely is not necessary. Conclusion: Theoretical analysis and simulation results indicate the effectiveness and practicality of the proposed scheme.


INTRODUCTION
A secret-sharing scheme (SSS) is ideal for storing information and is highly essential for ensuring information security. The primary idea behind an SSS is that a secret is distributed among a group of participants, among whom only qualified participants can reconstruct the secret. A visual SSS (VSSS) is also crucial for information security, and its most attractive feature is that the confidential content in a secret image can be deciphered by the human visual system. Compared with an SSS, a VSSS requires no computation in the decoding phase; therefore, a VSSS is widely applicable in many fields. In 1994 , Noar and Shamir [1] first developed the concept of visual cryptography (VC), and they demonstrated a ( , )-threshold VSSS, where a secret image is divided into (≥ 2) image shares; each share does not reveal information about the original image. The secret image can be seen only when any (≤ ) shares are stacked together.
The performance of the ( , )-threshold VSSS [1] is limited for two reasons. The first reason is pixel expansion; specifically, the size of shares is larger than the original secret images. The second reason is the necessity of a codebook, which would require additional storage space. Kafri and Keren [2] proposed a random grid (RG)based VSSS (RG-based VSSS) that uses the random variable mechanism and encodes a binary image into two RGs. The RG-based VSSS is not marred by the above two drawbacks affecting the ( , )-threshold VSSS; therefore, the RG-based VSSS is the superior approach. Some RG-based schemes have been proposed [3,4] . Thus far, RG-based VSSS is a well-known SSS that provides this novel stacking-to-see property and prevents pixel scaling while requiring no codebook. Furthermore, Yang [5] introduced a probabilistic model to solve the problem of pixel expansion, called probabilistic visual cryptography scheme (PVCS), in 2004. In a PVCS, the reconstruction of the image, however, is probabilistic, meaning that a secret pixel will be correctly reconstructed only with a certain probability. Since then, several studies have considered PVCS [6][7][8] . However, from the quality of reconstructed image, pixel expansion, recognized region size, and image types to be considered for evaluating PVCSs and RGs, Yang et al. [9] pointed out that RG and PVCS have no difference other than the terminology.
Encoding more than one image simultaneously is efficient with respect to time and space costs. Several studies have proposed and discussed schemes for encoding multiple images simultaneously [10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27] . The scheme proposed by Shyu [10] in 2009 is an extension of that proposed by Shyu [3] in 2007, which can encode two images simultaneously. In 2008, Chen et al. [11] proposed an RG-based visual multi-SSS (VMSSS) that entails using a rotating RG to encode two images into two shares. Furthermore, Chen et al. [12] presented another VMSSS that can embed four secret images into two shares by using four specific angles, namely 0 • , 90 • , 180 • , and 270 • . Liu et al. [13] adopted the idea presented by Chen et al. [12] and proposed a scheme that can encode three images into two meaningful shares. However, in those approaches, a restraint is imposed on the shape of the input images [11][12][13] ; that is, only square images can be input. To ensure more flexibility regarding the size, Chang et al. [14,15] proposed RG-based VMSSSs that can encrypt rectangular images. In these schemes, the confidential content can be reconstructed when users stack two shares with a specific offset and roll them into a cylinder. In 2014, Salehi and Balafar [16] proposed several VMSSSs that involve using a cylindrical RG. They provided two recovery operations, namely XOR and OR (the logical XOR, OR operations, or the Boolean XOR, OR operation); compared with OR, XOR produces images with superior quality after restoration [16] . The OR operation does not require any computation during the restoration of secret images, but the XOR operation does. Furthermore, in these schemes, the distortions are fixed according to the number of input secret images. In 2015, Tsao et al. [17] proposed an advanced VMSSS for a general access structure. In this scheme, the extraction of secret data can be prevented by stacking specific shares; however, any two shares cannot restore two different secrets. In 2016, Siva Reddy and Prasad [18] proposed an efficient share generation scheme that ensures the recovery of multiple secrets without any losses. However, this scheme is marred by two disadvantages. One of the disadvantages is that it requires the number of shares to be three times the number of secret images. The other disadvantage is that it applies the XOR recovery operation. Some studies have also considered using XOR operation to design their schemes [19,20] .
In VC, each share can be printed on a separate transparent sheet, and each input image can be decrypted by overlapping these shares. However, if the scheme lacks fault tolerance, then the reconstructed image may have severely poor visual quality in the event of misalignment. In 2002, Nakajima and Yamaguchi [21] proposed an enhanced VSS scheme that allows slight misalignment by reserving some space for fault tolerance. On the basis of the idea presented by Nakajima and Yamaguchi [21] , Juan et al. proposed two schemes with no pixel expansion in 2016 [22] and 2018 [23] , respectively. Al-Tamimi and Gaafar [24] designed a scheme that entails using four-pixel blocks to encrypt a secret. Although no pixel expansion occurred, they did not discuss a security analysis of their scheme. In 2016, Lin and Juan used the ideas described by Chang and Juan [14] in 2012, and Juan et al. [22] in 2016 to propose an advanced scheme [25] that can encode two images into two shares, and the images can be reconstructed by stacking two imperfectly aligned shares. In the present paper, we combine the ideas presented by Chang et al. [15] in 2018, and Juan and Chen [23] in 2018 and propose a faulttolerant multi-SSS that encodes more than two secret images into two shares simultaneously without pixel expansion.
The rest of this paper is organized as follows. Related work and the proposed scheme are presented in Sections 2 and 3, respectively. The experimental results are presented in Section 4. Analysis and comparisons are presented in Section 5.

RELATED WORK
In 1987, Kafri and Keren [2] first introduced the idea of RG that can be used to classify any pixel in an image as black (opaque) or white (transparent). An imager pixel is denoted as ( , ), where ( , ) is the pixel position in the image. We define a black pixel as ( , ) = 1 and a white pixel as ( , ) = 0. The probability of generating a white or black pixel in an RG is the same because of the inherent random mechanism of an RG; that is, the probability is equal to 1/2.
The transmittance of an image , denoted as ( ), is the ratio of the number of white pixels to all the pixels in . Therefore, the transmittance of each RG is 1/2. A secret image can be encrypted into two shares 1 and 2 , and the confidential content can be entirely restored according to the stacking rules, as presented in Table 1, where represents a pixel in for = 1, 2 and 1 ⊗ 2 represents the result of superimposing two pixels. On the basis of these definitions, three different RG algorithms were proposed by Kafri and Keren [2] , one of which (called KK1) is presented as follows. Table 2 presents the transmittance of 1 ⊗ 2 in KK1.

Return 1 and 2
Using the basic model of VC first introduced by Noar and Shamir [1] , Nakajima and Yamaguchi [21] proposed a fault-tolerant scheme with pixel expansion in which diamond patterns are designed for encoding; this allows slight deviations during stacking while enabling the classification of the original color of the secret image. In 2016, Juan et al. [22] proposed a fault-tolerant scheme without pixel expansion. This scheme considers × pixels as a unit; therefore, the images are divided into several units ( = 3, 4, 5, or 6). During the generation of the first share, a unit is selected randomly from the design patterns in the codebook. The unit in the second share is then selected from a specific pattern according to the number of black and white pixels of the secret image. Using the patterns designed by the authors will make the algorithm fault-tolerant. Next, Juan and Chen [23] proposed an improved algorithm to increase the value of to 7 in 2018. They designed the 7 × 7 patterns shown in Figure 1, which made their scheme more fault-tolerant. The transmittance of stacking results in terms of the black and white pixels is presented in Table 3. For details of these analyses, please refer to Juan and Chen' s scheme [23] .
With respect to RG, Lin and Juan [25] proposed a visual two-secret sharing scheme with no pixel expansion; the scheme has fault-tolerant mechanisms and combines the advantages of Juan et al. ' s scheme [22] and Chang and Juan' s scheme [14] . The encryption phase is divided into three parts, namely scale down, encryption, and tolerance. In the scale down part, an input image of size × pixels is partitioned into /6 × /6 units, where the size of each unit is 6 × 6 pixels ( = 6). In the other two parts, the design patterns in Juan et al. ' s scheme [22] are used for fault tolerance, and a concept similar to that in Chang and Juan' s scheme [14] is then used for encoding. In our scheme, we set = 7 and adopt the well-established design patterns in Juan and Chen' s scheme [23] to ensure misalignment tolerance. Since the transmittance of stacking results in Juan and Chen' s scheme [23] is better than those in Juan et al. 's scheme [22] , we believe that using the patterns in Juan and Chen' s scheme [23] to design our algorithm will yield better results than Lin and Juan' s [25] .
For multiple-image encryption, Chen et al. [12] proposed a scheme that encodes four secret images into two square shares. Through a rotating mechanism, the four confidential secret images can be restored by stacking one share on the other share after rotating by 0 • , 90 • , 180 • , or 270 • . Some disadvantages of the mentioned scheme [12] are as follows: the distortions are fixed, the input secret image should be a square, and the number of input secret images should be < or = 4. To address these disadvantages, Chang et al. [14,15] proposed some advanced schemes.
We briefly introduce Chang and Juan' s scheme [14] that encodes two images into two shares. The main idea of the algorithm [14] is as follows. Two images are divided into partitions, where is the positive factor of the width of the image (which can be determined by users). Every 2 pixels (in the same position of each subset of the partition) can be considered as a set and can be encrypted together in the next step. Next, an unencrypted pixel from one image is randomly selected to be the basis of the encoding process; subsequently, the corresponding 2 − 2 pixels can be encrypted (one of the pixels in this set is not encrypted). In addition, two images serve as the basis alternately; therefore, the unencrypted pixel is evenly distributed into two shares in the encoding process. Finally, the steps are repeated until two cipher-shares are generated. Therefore, all the secret data are evenly encrypted into two shares.
In the VMSSS [15] , the input images 0 , 1 , · · · , −1 of size × pixels are encoded into two shares 1 and 2 , and integer is selected according to user requirements (must be a positive factor of the width of the image ). Two consecutive images are randomly selected, and each set (2 pixels) is processed using Chang and Juan' s scheme [14] . Thus, input images are evenly selected, ensuring that each share contains the confidential data of every secret image. Figure 2 shows the main idea of how their scheme forms 2 pixels in 1 and 2 when one pixel ( , ) and two consecutive secret images and +1 are randomly selected (here, we let = 1 and = 4).
The study by Chang et al. [15] is an extension of Chang and Juan' s scheme [14] ; the schemes proposed by both studies involve the same recovery operation. During the restoration of secret images for = 0, 1, · · · , − 1, 1 is horizontally shifted by / pixels and then stacked with 2 . These two schemes involve shifting instead of rotating the RG to repair the shape problem of the input images and adopting for adjustable distortion. The distortion ( ) is defined as the ratio of the number of pixels that are not used in the encryption phase to the total number of pixels in all secret images. The distortion of the schemes in Chang and Juan' s scheme [14] and Chang et al. ' s scheme [15] can be calculated as 1/(2 ) and ([ − 2] + 1)/( ), respectively.
On the basis of the ideas presented in Chang et al. ' s scheme [15] , and Juan and Chen' s scheme [23] , we propose a more advanced scheme than Lin and Juan' s scheme [25] . Specifically, our proposed scheme uses design patterns [23] to ensure fault tolerance and encrypts multiple secret images by shifting the RG. The scheme is introduced in detail in the next section. To make the relationship between the above schemes clearer, we list them in Table 4.  Kafri and Keren [2] Juan et al. [22] Juan and Chen [23] Noar and Shamir [1] = 2 Chang and Juan [14] Lin and Juan [25] ≥ 2 Chang et al. [15] This paper

OUR SCHEME
In this section, we describe the proposed scheme for encrypting multi-secret images by shifting RGs through a fault-tolerant mechanism. Therefore, the proposed scheme can be denoted as fault-tolerant RG-based VMSSS (FT-VMSSS).
In our scheme, there are four functions and one procedure that help us build the main algorithm. The first three functions are defined as follows. They are used below in the procedure and main algorithm. is randomly selecting a pixel of . Definition 2.   : Reduced share , 1 ≤ ≤ 2, the size of ′ is /7 × /7 pixels. X : A random pattern in Figure 1, the size of is 7 × 7 pixels. : Share , 1 ≤ ≤ 2, the size of is × pixels. Figure 3 shows the model of the proposed encrypt method. The main concept of our approach is as follows: first, we divide each secret image into several blocks with pixels of size 7×7, thus resulting in 49 pixels per block. Second, we label each block as "black" or "white" according to the number of pixels in the block. If > 24 (half of 49) pixels in a block are black, then the block is labeled as black; otherwise, it is labeled as white. These two steps are what the function Scale-Down in the algorithm does. Then, similar to Chang et al. ' s VMSSS [15] , we repeat the encryption process until two cipher-shares are generated randomly using the aforementioned step and Figure 1 (from Juan and Chen' s scheme [23] ). Thus, when the images are restored, they consist of several design patterns, as presented in Figure 1. This process ensures that secret data are decipherable because of the sufficient transmittance difference, as presented in Table 3; for example, the transmittance differences are 73/196 and 25/196 in the case of "shift 1 pixel". This important step is done by Procedure E-VMSS.
Therefore, using the Scale-Down function, we obtain resized images ′ 0 , ′ 1 , · · · , ′ −1 with pixels of size /7 × /7 from the input secret images 0 , 1 , · · · , −1 with pixels of size × . We separate the primary procedure E-VMSS into two parts. In the first part (Encrypt part), we encrypt the scaled-down images ′ , ′ +1 into encoded contents ′ 1 and ′ 2 with pixels of size /7 × /7 according to the E-VMSS. In the second part (Scale-Up part), each pixel in ′ 1 and ′ 2 is restored to the corresponding pattern in Figure 1 to obtain 1 and 2 , according to the pattern randomly selected at the beginning. Then, 1 and 2 are obtained, which preserve the size of the input secret images, and the problem of pixel expansion is avoided. In other words, in procedure E-VMSS, we first encrypt the reduced secret images into two reduced shares (Encrypt part), and then restore the reduced shares back to the size we want, namely the size of the original secret images (Scale-Up part). Since such steps are performed pixel by pixel, the instructions of these two parts are not consecutive in procedure E-VMSS. For each pair of encrypted pixels in ′ , ′ +1 , we first generate a pair of relative pixels in reduced shares ′ 1 and ′ 2 , and then use this pair of pixels to immediately restore 7 × 7 pixels in shares 1 and 2 (with the same size as secret images ). Therefore, the algorithm FT-VMSSS can be performed using four basic functions and one procedure; the algorithmic codes are well constructed as described in the following subsection. The related notations are listed in Table 5.  for (int = 7 ; < 7( + 1); + +) for (int = 7 ; < 7( + 1); One pattern with pixels of size 7 × 7 is randomly selected from the 1 column in Figure 1 for (int = 0; < 7; + +) for (int = 0;

Decryption phase
After collecting the two cipher-grids 1 and 2 , users can easily restore secret images. The first secret image can be reconstructed by directly stacking 1 and 2 together. The secret image for = 1, 2, · · · , − 1 can be restored by superposing 1 and , where is obtained from 2 through horizontal shifting by a width  of / .

EXPERIMENTAL RESULTS
This section describes three experiments performed in this study. In the first experiment, we encoded three images into two shares, where the size of the input images was 980×980 pixels, as presented in Figure 4A-C. By setting to 3 and to 7 in the FT-VMSSS algorithm, we generated two cipher-shares 1 and 2 , as presented in Figure 4D and E. The first secret was restored by stacking 1 and 2 directly. The second (third) secret was obtained by superimposing 2 with 1 that had being horizontally shifted by a width of 1/7(2/7) to the left, as presented in Figure 4F-H. The results of imperfect stacking and one-pixel right shift are presented in Figure 4I-K. For example, when 2 was stacked with 1 that had shifted to the right by one pixel, the first restored image could still be obtained, as depicted in Figure 4I. The results for the other stacking cases involving misalignment and one-pixel diagonal shift are presented in Figure 4L-N.
In the second experiment, four images with pixels of size 980×980, as presented in Figure 5A and Figure 4A-C, were used, was set to 4, and was set to 7. The two shares 1 and 2 were generated after the FT-VMSS algorithm was applied, as depicted in Figure 5B and C. Perfect stacking of the reconstructed four secret images is presented in Figure 5D-G. Figure 5H-K presents the restored images for imperfect stacking (with a one-pixel right shift). Restored images for one-pixel diagonal shift are presented in Figure 5L-O.
In the third experiment, images with pixels of size 1960 × 1400 were used, as presented in Figure 6A-D. For this simulation, was set to 4 and was set to 20. Figure 6E and F presents the two cipher-shares generated. The first (second, third, and fourth) secrets were obtained using the decryption process described in Section 3, as indicated in Figure 6G ( Figure 6H-J, respectively). Experimental results for the case of imperfect alignment and one-pixel right shift are displayed in Figure 6K-N. The results for the case of misaligned stacking and one-pixel diagonal shift are presented in Figure 6O-R.

ANALYSIS AND CONCLUSIONS
In this paper, we present the design of an FT-VMSSS for sharing multiple secret images simultaneously, as described in Section 3. In the proposed scheme, multiple secrets can be embedded into two cipher shares, and the distortion is evenly distributed across the two shares.
Let ( ) be the transmittance of the area in the restored image , which corresponds to the white area in the secret image and ( ) be the transmittance of the area in the restored image , which corresponds to the black area in the secret images. We then recalculate the problem of transmittance because of the effect of distortion. The transmittance of the successfully encrypted part is not affected. However, the distortion part [( − 2) + 1)/ ] is not encrypted. The probability of the distortion part being black (or white) is 1/2. Therefore, the transmittance of the recovered image can be derived as follows, where ( ) and ( ) are described in Table 3 .
Therefore, when , ≥ 1, ( ) > ( ) because ( ) > ( ) in Table 3 (from Juan and Chen' s scheme [23] ) for any stacked restored image (perfect alignment or imperfect alignment with one-pixel shift, two-pixel shift, or diagonal one-pixel shift). Thus, the white and black pixel areas in each secret image can  be visually distinguished (or the information of secret images can be observed) from the restored image . Conversely, ( 1 ) = ( 2 ) = 1/2, since any unit is randomly selected in Figure 1 for any ( , ) in ′ 1 to construct the corresponding units of 1 and 2 . Thus, no information of any for = 0, 1, · · · , − 1 can be obtained from 1 or 2 individually. That means that our algorithm is correct and secure.
Through the encryption process described in Section 3 and Chang et al. ' s scheme [15] , we can calculate the distortion of the restored images as follows, where is the number of input secret images and is the specified positive factor of the width of the input image.
According to our experimental results, fault-tolerant performance can permit a shift of only one pixel. Figures  7-9 indicate that, for the transmittance analysis for sharing three or four secret images, p = 7 or 20, the difference between white and black transmittance decreased gradually from the case of perfect stacking to that of imperfect stacking (but ( ) > ( ) in any case). Therefore, to address the fault caused by more pixel shifting, the input secret images must be set in a larger size. Table 6 presents a comparison of the performance of our scheme and those of schemes proposed in related studies. Among the schemes proposed in related studies, those with a fault-tolerant mechanism can encrypt at most two secret images at a time, and those that can encrypt any multiple secret images lack the mechanism of fault tolerance. Our scheme is the first MVSSS to be fault-tolerant and can really encrypt any number of secret images. Therefore, compared with these schemes, our scheme is more practical.