0 оценок0% нашли этот документ полезным (0 голосов)
11 просмотров12 страниц
In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations. We extend it into a visual variant of the k out of n secret shazing problem, in which a dealer provides a transparency to each one of the n users. The basi c model consi sts of a pr I nt ed page of ci pher t ext (whi
In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations. We extend it into a visual variant of the k out of n secret shazing problem, in which a dealer provides a transparency to each one of the n users. The basi c model consi sts of a pr I nt ed page of ci pher t ext (whi
In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations. We extend it into a visual variant of the k out of n secret shazing problem, in which a dealer provides a transparency to each one of the n users. The basi c model consi sts of a pr I nt ed page of ci pher t ext (whi
Depart ment of Applied Math and Comput er Science, Weizmanu Institute, Rehovot 76100, Israel. e-maih {naor,shamir}@wisdom.weizmann.ac.il Ab s t r a c t . In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic compu- tations. The scheme is perfectly secure and very easy to implement. We extend it into a visual variant of the k out of n secret shazing problem, in which a dealer provides a transparency to each one of the n users; any k of t hem ca~ see the image by stacking their trazasparencies, but any k - 1 of t hem gain no information about it. 1 I n t r o d u c t i o n I n t hi s paper we consi der t he pr obl em of encr ypt i ng wr i t t en mat er i al ( pr i nt ed t ext , ha ndwr i t t e n not es, pi ct ures, et c. ) in a per f ect l y secure way which can be decoded di rect l y by t he h u ma n vi sual syst em. The basi c model consi st s of a pr i nt ed page of ci pher t ext (whi ch can be sent by mai l or faxed) and a pr i nt ed t r ans par ency (whi ch serves as a secret key). The ori gi nal cl ear t ext is reveal ed by pl aci ng t he t r ans par ency wi t h t he key over t he page wi t h t he ci pher t ext , even t hough each one of t he m is i ndi st i ngui shabl e f r om r a ndom noise. The s ys t em is si mi l ar t o a one t i me pad in t he sense t ha t each page of ci pher t ext is decr ypt ed wi t h a di fferent t r anspar ency. Due t o i t s si mpl i ci t y, t he s ys t em can be used by anyone wi t hout any knowl edge of cr ypt ogr aphy and wi t hout per f or mi ng any cr ypt ogr aphi c comput at i ons . The best way t o vi sual i ze t he vi sual cr ypt ogr aphi c scheme is t o consi der a concret e exampl e. At t he end of t hi s ext ended abs t r act we enclose t wo r a ndom l ooki ng dot pat t er ns . To decr ypt t he secret message, t he r eader shoul d phot ocopy each pa t t e r n on a s epar at e t r anspar ency, align t he m carefully, and pr oj ect t he r esul t wi t h an over head pr oj ect or . Thi s basi c model can be ext ended i nt o a vi sual var i ant of t he k out of n secret shar i ng pr obl em: Gi ven a wr i t t en message, we woul d like t o gener at e n t r ans par enci es so t ha t t he ori gi nal message is vi si bl e i f any k (or mor e) of ' t he m are st acked t oget her , but t ot al l y i nvi si bl e i f fewer t ha n k t r anspar enci es are st acked t oget her (or anal ysed by any ot her met hod) . The ori gi nal encr ypt i on pr obl e m can be consi dered as a 2 out of 2 secret shar i ng pr obl em. The ma i n resul t s of t hi s paper (besides i nt r oduci ng t hi s new pa r a di gm of cr ypt ogr aphi c schemes) i ncl ude pr act i cal i mpl ement at i ons of a k out of n vi sual secret shar i ng scheme for smal l val ues of k and n, as well as efficient as ympt ot i c const r uct i ons whi ch can be pr oven opt i ma l wi t hi n cert ai n classes of schemes. * Research support ed by an Alon Fellowship. 2 Th e Mo d e l The si mpl est versi on of t he vi sual secret shar i ng pr obl em assumes t hat t he mes- sage consi st s of a col l ect i on of bl ack and whi t e pi xel s and each pi xel is handl ed s epar at el y 2. Each ori gi nal pi xel appear s in n modi fi ed versi ons (called shares), one for each t r anspar ency. Each share is a collection of m bl ack and whi t e sub- pixels, whi ch are pr i nt ed in close pr oxi mi t y t o each ot her so t ha t t he huma n vi sual s ys t e m averages t hei r i ndi vi dual bl ack/ whi t e cont r i but i ons. The resul t - ing s t r uct ur e can be descri bed by an n x m Bool ean ma t r i x S = [sij] where s i j --- 1 iff t he j t h subpi xel in t h e / t h t r ans par ency is bl ack. When t r ans par en- cies i l , i 2, . 9 9 i~ are st acked t oget her in a way which pr oper l y al i gns t he subpi xel s, we see a combi ned shar e whose bl ack subpi xel s are represent ed by t he Bool ean "or" of rows i l , i 2 , . . . i t in S. The grey level of t hi s combi ned share is pr opor - t i onal t o t he Ha mmi n g wei ght H ( V ) of t he "or "ed m- vect or V. Thi s grey level is i nt er pr et ed by t he vi sual s ys t em of t he users as bl ack i f H ( V ) > d and as whi t e i f H ( V ) < d - c~m for some fixed t hr eshol d 1 < d < m and rel at i ve difference c ~>0 . Thi s f r amewor k resembl es t he f r amewor k of l i near codes, wi t h t he i mpor t a nt difference t ha t t he under l yi ng al gebrai c s t r uct ur e is a semi - gr oup r at her t han a group. I n par t i cul ar , t he vi sual effect of a bl ack subpi xel in one of t he t r ans par en- cies cannot be undone by t he colour of t ha t subpi xel in ot her t r anspar enci es whi ch are l ai d over it. Thi s monot oni ci t y rules out c ommon encr ypt i on t ech- ni ques whi ch add r a ndom noise t o t he cl ear t ext dur i ng t he encr ypt i on process, and s ubt r act s t he s ame noise f r om t he ci pher t ext dur i ng t he decr ypt i on process. I t al so rul es out t he mor e nat ur al model in which a whi t e pi xel is r epr esent ed by a compl et el y whi t e col l ect i on of subpi xel s and a bl ack pi xel is r epr esent ed by a compl et el y bl ack collection of subpi xel s, and t hus we have t o use a t hr eshol d d and r el at i ve difference ~ > 0 t o di st i ngui sh bet ween t he colours. De f i n i t i o n 1. A sol ut i on t o t he k out of n vi sual secret shar i ng scheme consi st s of t wo col l ect i ons of n x m Bool ean mat r i ces Co and C1. To share a whi t e pixel, t he deMer r a ndoml y chooses one of t he mat r i ces in Co, and t o shar e a bl ack pixel, t he deal er r a ndoml y chooses one of t he mat r i ces in C1. The chosen ma t r i x defines t he col our of t he m subpi xel s in each one of t he n t r anspar enci es. The sol ut i on is consi dered val i d i f t he following t hr ee condi t i ons are met : 1. For any S in Co, t he "or" V of any k of t he n rows satisfies H ( V ) < d - ~ . m. 2. For any S in C1, t he "or" V of any k of t he n rows satisfies H ( V ) > cl. 3. For any subset { i l , i ~ . , . . . i q } of {1, 2 . . . . n} wi t h q < k, t he t wo col l ect i ons of q m mat r i ces Dt for t E {0, 1} obt ai ned by rest ri ct i ng each n m ma t r i x in C~ (where t = 0, l ) t o rows i l , i2 . . . . , iq are i ndi st i ngui shabl e in t he sense t ha t t hey cont ai n t he s ame mat r i ces wi t h t he s ame frequencies. Condi t i on 3 i mpl i es t hat by i nspect i ng fewer t han k shares, even an i nfi ni t el y powerful cr ypt anal ys t cannot gai n any advant age in deci di ng whet her t he shar ed 2 It is conceivable t hat handling larger groups of pixels simultaneously yields bet t er results pi xel was whi t e or bl ack. I n mos t of our const ruct i ons, t her e is a funct i on f such t ha t t he combi ned shares f r om q < k t r anspar enci es consist of all t he V' s wi t h H( V) = f ( q) wi t h uni f or m pr obabi l i t y di st r i but i on, regardl ess of whet her t he mat r i ces were t aken f r om Co or C1. Such a scheme is called uniform. The first t wo condi t i ons are called contrast and t he t hi r d condi t i on is called security. The i mpor t a nt pa r a me t e r s of a scheme are: - m, t he numbe r of pi xel s in a share. Thi s represent s t he loss in resol ut i on f r om t he or i gi nal pi ct ur e t o t he shar ed one. We woul d like m t o be as smal l as possi bl e. - a , t he r el at i ve difference in wei ght bet ween combi ned shares t ha t come f r om a whi t e pi xel and a bl ack pixel in t he ori gi nal pi ct ure. Thi s r epr esent s t he loss in cont r ast . We woul d like a t o be as l arge as possi bl e. - r, t he size of t he col l ect i ons Co and C1 ( t hey need not be t he s ame size, but in all of our const r uct i ons t hey are). log r represent s t he numbe r of r a ndom bi t s needed t o gener at e t he shares and does not effect t he qual i t y of t he pi ct ure. Re s u l t s : We have a numbe r of const r uct i ons for specific val ues of k and n. For general k we have a const r uct i on for t he k out k pr obl em wi t h m = 2 k-1 and = 2k1_1 and we have a pr oof of opt i mal i t y of t hi s scheme. For general k and n 1 we have a const r uct i on wi t h m = l ogn 9 2 ~176 and a = ~--a~- 3 E f f i c i e n t s o l u t i o n s f o r s ma l l k a n d n The 2 out of n vi sual secret shar i ng pr obl em can be solved by t he following col l ect i ons of n x n mat r i ces: Co = {all t he mat r i ces obt Mned by pe r mut i ng t he col umns of t 00 C1 = {all t he mat r i ces obt ai ned by per mut i ng t he col umns of and n - 1 Ha mmi n g Ha mmi n g t wo cases Any single shar e in ei t her Co or C1 is a r a ndom choice of one bl ack whi t e subpi xel s. Any t wo shares of a whi t e pi xel have a combi ned wei ght of 1, wher eas any t wo shares of a 1 pixel have a combi ned wei ght of 2, whi ch l ooks darker. The vi sual difference bet ween t he becomes cl earer as we st ack addi t i onal t r anspar enci es. The ori gi nal pr obl e m of vi sual cr ypt ogr aphy is t he speci al case of a 2 out of 2 vi sual secret shar i ng pr obl em. I t can be solved wi t h t wo subpi xel s per pixel, but in pr act i ce t hi s can di st or t t he aspect r at i o of t he ori gi nal i mage. I t is t hus hori zont al shares vertical shares di agonal shares Fi g. 1. r ecommended t o use 4 subpixels arranged in a 2 x 2 array where each share has one of t he visual forms in Fi gure 1. A whi t e pixel is shared i nt o two identical arrays from t hi s list, and a black pixel is shared i nt o two compl ement ar y arrays from t hi s list. Any single share is a r andom choice of two black and two whi t e subpixels, which looks medi um grey. When two shares are stacked t oget her, t he result is ei t her medi um grey (which represents white) or compl et el y black (which represents black). The next case is t he 3 out of 3 visual secret shari ng problem, which is solved by t he following scheme: [ 0011] C0 = { a l l t h e ma t r i c e s obt ai ned by per mut i ng the col umns of | 01011 } k0110J [ 1100] el = {all t he mat ri ces obt ai ned by per mut i ng the col umns of | 1010| } [1001J Note t hat t he six shares described by t he rows of Co and C1 are exact l y t he six 2 x 2 arrays of subpixels from Fig. 1. Each mat r i x in either Co or C1 cont ai ns one hori zont al share, one vertical share and one di agonal share. Each share cont ai ns a r andom selection of two black subpixels, and any pair of shares from one of t he mat ri ces cont ai ns a r andom selection of one common black subpixel and two i ndi vi dual black subpixels. Consequently, t he analysis of one or two shares makes it impossible t o di st i ngui sh between Co and Cl. However, a stack of three t ransparenci es from Co is onl y 3/ 4 black, whereas a stack of three t ransparenci es from C1 is compl et el y black. The following scheme generalizes this 3 out of 3 scheme i nt o a 3 out of n scheme for an ar bi t r ar y n >_ 3. Let B be t he black n x (n - 2) mat r i x which cont ai ns onl y l ' s, and let I be t he i dent i t y n x n mat r i x which cont ai ns l ' s on t he di agonal and 0' s elsewhere. Let BI denote t he n x (2n - 2) mat r i x obt ai ned by concat enat i ng B and I, and let c(BI) be the Boolean compl ement of the mat r i x BI. Then Co = {all t he mat ri ces obt ai ned by per mut i ng t he columns of c(BI)} C1 = {all t he mat ri ces obt ai ned by per mut i ng t he columns of BI} has t he following propert i es: Any single share cont ai ns an ar bi t r ar y collection of n - 1 bl ack and n - 1 whi t e subpixels; any pai r of shares have n - 2 common bl ack and t wo i ndi vi dual bl ack subpixels; any stacked t ri pl et of shares f r om go has n bl ack subpixels, whereas any st acked t ri pl et of shares f r om C1 has n + 1 bl ack subpixels. The 4 out of 4 visual secret shari ng pr obl em can be solved by t he shares descri bed in Fi gur e 2 (al ong wi t h all t hei r per mut at i ons) . shares of a whi t e pi xel Fi g. 2. shares of a bl ack pi xel Any single share cont ai ns 5 bl ack subpixels, any st acked pai r of shares con- t ai ns 7 black subpixels, any st acked t ri pl et of shares cont ai ns 8 black subpixels, and any st acked quadr upl e of shares cont ai ns ei t her 8 or 9 black subpixels, de- pendi ng on whet her t he shares were t aken f r om go or gl . It is possible t o reduce t he number of subpi xel s f r om 9 t o 8, but t hen t hey cannot be packed i nt o a squar e ar r ay wi t hout di st or t i ng t hei r aspect rat i o. 4 A g e n e r a l k o u t o f k s c h e me We now describe t wo general const ruct i ons which can solve any k out of k visual secret shar i ng pr obl em by usi ng 2 k and 2 k-1 subpixels respectively. We t hen prove t hat t he second const r uct i on is opt i mal in t hat any k out k scheme must use at l east 2 k-1 pixels. Co n s t r u c t i o n 1 To define t he t wo collections of mat r i ces we make use of two lists of vect ors j o, j o , . . . j o and J11, j 1 , . . . j ~ . Let j o, j o , . . . j o be vect ors of l engt h k over GF[ 2] wi t h t he pr oper t y t hat every k - 1 of t hem are l i nearl y i ndependent over GF[ 2 ] , but t he set of all k vect or s is not i nde pe nde nt . Such a col l ect i on can be easi l y c ons t r uc t e d, e. g. let j o = 0 i - l l 0 k - i f or 1 < i < k and J~ = l k - 1 0 . Let J~, J ~ , . . . J~ be vect or s of l engt h k over GF[ 2 ] wi t h t he pr ope r t y t h a t t he y are l i near l y i nde pe nde nt over GF[ 2] . ( Thi s can be t h o u g h t of as a fi rst or der Reed- Mul l er code [7]) Ea c h l i st defi nes a k x 2 k ma t r i x S t f or t E {0, 1} a nd t he col l ect i ons Co a nd C1 ar e o b t a i n e d by p e r mu t i n g t he c ol umns of t he c or r e s pondi ng ma t r i x i n all possi bl e ways. We i ndex t he c ol umns of S t by vect or s of l engt h k over GF[ 2] . For t E {0, 1} l et S ~ be defi ned as fol l ows: S t [ i , x ] - < J t , x > f or any 1 < i < k a n d a ny vect or x of l engt h k over GF[ 2 ] wher e < x, y > denot es t he i nner p r o d u c t over GF[ 2 ] . L e mma 2. T h e above s c h e me i s a k oul o f k s c h e me wi t h p a r a me t e r s m = 2 k, = 1/ 2 k a n d r = 2k! . P r o o f : I n or der t o show cont r as t , not e t h a t i n ma t r i x S O t her e ar e t wo c ol umns t h a t ar e al l zero; i n t he e xa mpl e gi ven t heses are t he c ol umn i ndexed by x = O k a nd t he c o l u mn i ndexed by x = 0 k - l l . On t he ot her ha nd, i n S 1 t her e is onl y one c o l u mn t h a t is all 0, t he one c or r e s pondi ng t o x = O k. Ther ef or e i n any p e r mu t a t i o n of S O t he "or" of t he k r ows yi el ds 2 k - 2 ones, wher eas i n any p e r mu t a t i o n o f S 1 t he "or ~ of t he k r ows yi el ds 2 k - 1 ones. I n or der t o s how secur i t y, not e t h a t t he vect or s c or r e s pondi ng t o a ny k - 1 r ows in b o t h S O nd S 1 are l i near l y i nde pe nde nt over GF[ 2] . Ther ef or e i f one consi der s t he r ows as s ubs et s of a g r o u n d set of size 2 k, t he n ever y i nt er s ect i on of k - 1 r ows or t hei r c o mp l e me n t has t he s a me size, t wo. ( Not e t h a t we i ncl ude c o mp l e me n t e d set s, a nd t hus i f all possi bl e i nt er sect i ons of k - 1 ar e t he s a me ; t he n all s mal l er i nt er s ect i ons ar e t he s a me as well. ) Hence a r a n d o m p e r mu t a t i o n of t he c ol umns yi el ds t he s a me di s t r i but i on r egar dl ess of whi ch k - 1 r ows were chos en ( pr ovi de d t he c or r e s pondi ng vect or s ar e l i near l y i nde pe nde nt ) . [] C o n s t r u c t i o n 2 We now s how a sl i ght l y be t t e r s cheme wi t h p a r a me t e r s m = 2 k - l , ol = 1/ 2 k- 1 a n d r = 2 k - l ! . Cons i der a g r o u n d set W = {el , e 2 , . . , ek} of k el ement s a n d l et 7r l , Tr 2, . . . r 2~- 1 be a l i st o f all t he s ubs et s of even c a r di na l i t y a nd l et or1, a ~ , . . . a 2 k - 1 be a l i st of all t he subset s of W o f o d d c a r di na l i t y ( t he or der is n o t i mp o r t a n t ) . Ea c h l i st defi nes t he f ol l owi ng k x 2 k- 1 ma t r i c e s S o and SI : For 1 < i < k a nd 1 < j < 2 k- 1 l et S ~ = 1 i f f ei e 7rj and S l [ i , j ] = 1 i f f e i E a j . As i n t he c ons t r uc t i on above, t he col l ect i ons Co a nd C1 ar e obt a i ne d by per - mu t i n g al l t he c ol umns of t he c or r e s pondi ng ma t r i x. L e mma 3 . T h e above s c h e me i s a k out o f k s c h e me w~th p a r a me t e r s m = 2 k - l , a = 1/ 2 k- 1 a n d r = 2k- 1! . P r o o f : I n or der t o s how cont r as t , not e t he i n ma t r i x S O t her e is one c ol umn t h a t is all zer o, t he one i ndexed by t he e mp t y set . On t he ot he r ha nd, i n S 1 t her e is no c o l u mn t h a t is all 0. Ther ef or e i n a ny p e r mu t a t i o n of S o t he "or" of t he k rows yi el ds onl y 2 k- 1 - 1 ones, whereas in any pe r mut a t i on of S 1 t he "or" of t he k rows yi el ds 2 k- 1 ones. In or der t o show security, not e t ha t i f one exami nes any k - 1 rows in ei t her S o and S 1 t hen t he s t r uct ur e di scovered is si mi l ar: consider t he rows as subset s of a gr ound set of size 2k-1; ever y i nt ersect i on of k - 1 rows or t hei r compl ement has t he s ame size, t wo. Hence a r a ndom pe r mut a t i on of t he col umns yi el ds t he s ame di st r i but i on regardl ess of whi ch k - 1 rows were chosen. [] Up p e r b o u n d o n c~: We show t ha t c~ mus t be exponent i al l y smal l as a f unct i on of k and, in fact , get a t i ght bound t ha t a >__2 k- 1. The key combi nat or i al f act used is t he following (see [5, 6]: gi ven t wo sequences of set s A1, A2 , . . . Ak and B1, B2 , . . . B/c of some gr ound set G such t ha t for every subset U C {1, ..k} of size at mos t k - 1 we have ] [ q i ~ u A i l = ] N i e u B i l , t hen I U,k=l Ail < 2L1 9 IGI + ] to~=l Bi l . I n ot her words, if t he i nt er sect i ons of t he Ai ' s and Bi ' s agree in size for all subset s smal l er t han k el ement s, t hen t he difference in t he uni on cannot be t oo l arge. Consi der now a k out k scheme C wi t h pa r a me t e r s m, a and r. Let t he t wo col l ect i ons be Co and C1. We const r uct f r om t he collections t wo sequences of set s A1, A2, 9 9 9 Ak and B1, B2, . 9 9 Bk. The gr ound set is of size m. r and i t s el ement s are i ndexed by (x, y) where 1 < x < r and 1 < y < m. El ement (x, y) is in Ai iff S ~ = 1 and el ement ( x, y) is in B i i f f S ~ [ i y ] = 1. We cl ai m t ha t for any U C {1, ..k} of size q < k t he equal i t y I N i e u A i ] = [ [ ' ) i e u B i ] holds. The secur i t y condi t i on of C i mpl i es t hat we can const r uct a 1-1 ma p p i n g bet ween all t he q x m mat r i ces obt ai ned f r om consi deri ng onl y rows cor r espondi ng t o U in Co and t he q m mat r i ces of C1 such t ha t any t wo mat ched mat r i ces are i dent i cal . ( St r i ct l y speaki ng, t he securi t y condi t i on is not st r ong enough t o i mpl y it, but gi ven any scheme we can convert it i nt o one t ha t has t hi s pr ope r t y wi t hout changi ng a and m. ) Ther ef or e when consi deri ng ] ~ i e v Ail and ] N i e u B i l t he cont r i but i on of each me mb e r of a pai r of mat ched mat r i ces is i dent i cal and hence [ Ni e v A i l = I ~ie~7 Bi l . Appl yi ng now t he combi nat or i al f act ment i oned above yi el ds t ha t [ U/~=I B i [ <_ 2 k l - , . r m + [ uk=l A i [ which means t ha t for at l east one ma t r i x in C1 and one ma t r i x in C0 t he difference bet ween t he Ha mmi n g wei ght of t he "or" of t hei r rows is at mos t 2~-1 "m. Hence we have T h e o r e m4 . I n a n y k o u t k s c h e m e a <<_ ~kl_~ a n d r e > _ 2 ~ - 1 . 5 A g e n e r a l k o u t o f n s c h e me I n t hi s sect i on we const r uct a k out of n scheme. Wh a t we show is how t o go f r om a k out of k scheme t o a k out of n scheme. Let C be an k out of k vi sual secret shari ng scheme wi t h pa r a me t e r s m, r, c~. The scheme C consi st s of t wo col l ect i ons of k~x m Bool ean mat r i ces Co = T ~ T ~ ~ and Cl = T~, T~ , . . . T~ . Fur t her mor e, assume t he scheme is uni- f or m, i.e. t her e is a f unct i on f ( q ) such t hat for any ma t r i x T/t where t E {0, 1} and 1 < i < r and for every 1 < q < k - 1 rows of T/t t he Ha mmi n g wei ght of t he "or" of t he q rows is f ( q ) . Not e t hat all our previ ous const r uct i ons have t hi s pr oper t y. Let H be a col l ect i on of s f unct i ons such t ha t 1. Vh E H we have h : {1. . n} ~-* {1..k} 2. For all subset s B C {1..n} of size k and for all 1 < q _< k t he pr obabi l i t y t ha t a r a ndoml y chosen h E H yields q different val ues on B is t he same. Denot e t hi s pr obabi l i t y by/~q We const r uct f r om C and H a k out of n scheme C ~ as follows: - The gr ound set is V = U x H (i.e. it is of size m. l and we consi der its el ement s as i ndexed by a me mb e r of U and a me mbe r of H) . - Each 1 < t < r e is i ndexed by a vect or ( Q , t 2 . . . . Q ) where each 1 _< t i <_ r . - The ma t r i x S~ for t = ( t l , t 2 , . . . Q ) ) where b E {0, 1} is defined as S ~ [ i , (j , h)] = T ~ b j [ h ( i ) , j ] L e mma 5. I f C i s a s c h e m e w i t h p a r a m e t e r s m , c~, r , t h e n C ~ i s a s c h e m e w i t h p a r a m e t e r s r n ~ = m 9 g, a ' = a 9 ~ k , r ~ = r s P r o o f : I n order t o show cont r ast , not e t ha t for any k rows in a ma t r i x S~ and any h E H, if t he subset cor r espondi ng t o t he k rows is ma p p e d t o q < k different val ues by h, t hen we know by t he as s umpt i on of uni f or mi t y t hat t he wei ght of t he "or" of t he q rows in C is f ( q ) . The difference bet ween whi t e pi xel s and bl ack pi xel s occur s onl y when h is 1 - 1 which happens a t / ~ of t he h E H and i t is c~. m in t hi s case. Ther ef or e t he Ha mmi n g wei ght of an " o r " of k rows of a whi t e pi xel is at mos t e ( ~ k . ( d - a m ) + ~ = ~ ~ q . f ( q ) ) and t he wei ght of a bl ack pi xel k - 1 is ~ ( ~ k " d + ~ q = l flq " f ( q ) ) which means t ha t t he rel at i ve difference bet ween t h e m is at l e a s t / ~ 9 a . I n or der t o show securi t y not e t hat we are essent i al l y r epeat i ng g t i mes t he scheme C where each i nst ance is i ndependent of all ot her i nst ances. Ther ef or e f r om t he secur i t y of C we get t he securi t y of S. [] Co n s t r u c t i o n o f H: One can const r uct H f r om a collection of k-wise i ndependent hash f unct i ons (see e.g. [3], [4], [9]). Suppose t ha t H is such t hat for any k val ues xl , x 2 , . . , x k E {1, . . n} t he k r a n d o m var i abl es defined by X1 - h ( x l ) , X 2 - h ( x 2 ) , . . . X k - - h ( x k ) for a r a ndoml y chosen h E H are compl et el y i ndependent . Since t hey are i ndependent , t he pr obabi l i t y t ha t t hey yield q different val ues is t he same, no ma t t e r what xl , x 2 , . . , xk are. For a concret e exampl e, assume t hat k is a pr i me ( ot her wi se we have t o deal wi t h i t s fact ors), and let I be such t hat k I > n. The f ami l y H is based on t he set of pol ynomi al s of degree k - 1 over GF[k-T], where for ever h E H t her e is a cor r espondi ng pol ynomi al q(x), and h ( x ) = q ( x ) mo d k. The size of H is about n k. The p r o b a b i l i t y / ~ t hat a r a ndom h is 1 - 1 on a set k! (k/~) k ~ - ' : of k el ement s is V > k~v~-s = :7~7~" We can t her ef or e concl ude by appl yi ng Le mma 5: T h e o r e m6 . F o r a n y ~ a n d k t h e r e e x i s t s a v i s u a l s e c r e t s h a r i n g s c h e m e w i t h p a r a m e t e r s r n = n k . 2 ~ - 1 , (~ = ( 2 e ) - k / ~ - ~ ' k a n d r = nk( 2k- l ! ) . 5. 1 Re l a x i n g t h e c o n d i t i o n s o n H Suppose now t ha t we rel ax Condi t i on 2 in t he definition of H t o t he following: t her e exi st s an c such t ha t for all subsets B C {1..n} of size k and for all 1 < q < k t he pr obabi l i t y t ha t a r andoml y chosen h E H yields q different values on B is t he same t o wi t hi n c. As we shall see, t hi s leeway allows for much smal l er H' s . Taki ng e t o be small, say smal l er t han c~k/ 4, cannot make a big difference in t he qual i t y of our const ruct i on: The Hammi ng weight of an "or" of k rows of a whi t e pixel is at most k- 1 ~ ( ( ~ + c) . ( d - a m ) + E ( / 3 q + e) . f ( q ) ) q=l and t he weight of a bl ack pixel is at least k- 1 ~((1 - e ) / 3 k . d + E e l - c ) . ~ q . f ( q ) ) . q=l The rel at i ve difference bet ween bl ack and whi t e is t herefore at least/~k 9 c~ - 2e. Not e t ha t t he secur i t y of t he scheme is not effected at all, since fewer t han k shares never ma p t o k different values. Co n s t r u c t i o n o f r e l a x e d H: We use s ma l l - b z a s pr obabz l i t y s pac e s t o const r uct such a rel axed f ami l y (see [8], [2], [3] for defi ni t i ons and const ruct i ons). A pr obabi l i t y space wi t h r andom vari abl es t ha t are e-bias is an appr oxi mat i on t o a pr obabi l i t y space wi t h com- pl et el y i ndpenedent r andom variables, in t hat t he bias (i.e. t he difference bet ween t he pr obabi l i t y t ha t t her e par i t y is 0 and 1) is bounded by 9 (as opposed t o 0 in t he compl et e i ndependence). Similarly, a pr obabi l i t y space which is k-wise e-bias is an appr oxi mat i on t o k-wise i ndependent pr obabi l i t y spaces. Assume t hat k is a power of 2. Let R be a k log k-wise 6-bias pr obabi l i t y space on n log k r a ndom vari abl es which t akes values in {0, 1}. They are i ndexed as Y/j for 1 < i < n and 1 < j < log k. Ther e are expl i ci t const ruct i ons of such pr obabi l i t y spaces of size 2 ~ log k) log n (see [8] [1]). Each f unct i on h corresponds t o a poi nt in t he pr obabi l i t y space, h ( x ) is t he val ue of Yzl, Yz~, 9 9 Yx log k t r eat ed as a number bet ween 0 and 2 ~ - 1. It can be shown t ha t for all x l , x 2 , . . . x k E {1, . . n} and for all Yl, Y2, . . . Yk E {0, . . 2 k - 1} we ha ve 1 k k k- ~ - 5 . < P r o b [ h ( ~ l ) = y l , h ( x 2 ) = Y 2 , . . . h ( x k ) = Yk] g + 6 k k. 1 Ther f or e t aki ng 6 = ~ i mpl i es t hat 9 __< 2 -2k and we get a scheme in which t he number of subpi xel s grows onl y l ogar i t hmi cal l y wi t h t he number of shares /2. T h e o r e mT . F o r a n y n a n d k t h e r e e x z s t s a v i s u a l s e c r e t s h a r i n g s c h e me wi t h p a r a m e t e r s m : l ogn 9 2 ~176 ot -- 2 - ~( k) . 10 6 E x t e n s i o n s Ther e are ma ny possible enhancement s and ext ensi ons of t he basic model i nt ro- duced in this paper. Consi der, for exampl e, t he pr obl em of visual encr ypt i on of a cont i nuous t one i mage whose pixels have grey levels rangi ng f r om 0 t o 255. A br ut e force sol ut i on can divide an original pixel wi t h grey level g i nt o an 8 x 8 ar- r ay of g black and 256-g whi t e subpixels, and t hen encr ypt each black and whi t e subpi xel separ at el y by di vi di ng it f ur t her i nt o an ar r ay of subsubpi xel s wi t h our t echni ques. However, we propose a mor e di rect and el egant sol ut i on t o t he cont i nuous t one vi sual encr ypt i on pr obl em by using t he following observat i on: Fi g. 3. f i r st s har e s e c ond s har e s t acked s har e Each pixel in each one of t he two t ransparenci es is represent ed by a r ot at ed hal f circle. When t he t wo hal f circles (wi t h r ot at i on angles a and b) are careful l y aligned, t he super posi t i on of t he t wo hal f circles can range in colour f r om medi um gr ey (represent i ng whi t e) t o compl et el y bl ack (represent i ng black) dependi ng on t he rel at i ve angl e a - b bet ween t he two r ot at ed hal f circles (see Fi gure 3). I f we choose for each pi xel in each share a r andom absol ut e r ot at i on angle (wi t h t he desired rel at i ve r ot at i on angle bet ween t hem) , t hen each t r anspar ency will l ook uni f or ml y grey and will reveal absol ut el y no i nf or mat i on, but t he super posi t i on of t he t wo t ransparenci es will be a darker version of t he original cont i nuous t one i mage. Anot her i nt erest i ng ext ensi on of t he ori gi nal model deals wi t h t he pr obl em of conceal i ng t he very existence of t he secret message. Is it possible t o send (by mai l or fax) an i nnocent l ooki ng i mage of k house, super i mpose on it an i nnocent l ooki ng t r anspar ency of a dog, and get a spy message wi t h no t r ace of ei t her t he house or t he dog? To const r uct such a scheme, we consider 2 x 2 ar r ays of subpixels, and define two t ypes of shares (whi t e wi t h 2 bl ack subpixels and black wi t h 3 black subpixels) and t wo t ypes of super i mposed resul t s (whi t e wi t h 3 bl ack subpi xel s and bl ack wi t h 4 black subpixels). I f t he desired resul t is whi t e, we use t he shares present ed in t he t op row of Fi gure 4 (al ong wi t h t hei r per mut at i ons ) . I f t he desired resul t is black, we use t he shares present ed in t he bot t om row of Fi gur e 4 (al ong wi t h t hei r per mut at i ons) : The reader can easily convince hi msel f t hat each t r anspar ency can cont ai n an ar bi t r ar y i mage which reveals no i nf or mat i on what soever about t he superi m- posed i mage. ]] t wo whi t e shares whi t e and black shares t wo black shares two white shares white and black shares Fig. 4. Use top row for white and bottom row for black t wo bl ack shares Ac knowl e dge me nt s We thank Nati Linial for explaining his work on inclusion-exclusion, Ronny Roth for careful reading of the paper and Ronen Basri for helping us with the figures. R e f e r e n c e s 1. N. Alon, J. Bruck, J. Naor, M. Naor and R. Roth, Construction of asymptotically good, low-rate error-correcting codes through pseudo-random graphs, IEEE Transac- tions on Information Theory, 38 (1992), 509-516. 2. N. Alon, O. Goldreich, J. Hastad and R. Peralta, Simple constructions of almost k-wise independent random variables, Random Structures and Algorithms 3 (1992), 289-304. 3. N. Alon and J. Spencer, The probabi l i st i e met hod, Wiley, 1992. 4. J. L. Carter and M. N. Wegman, Universal classes of hash functions, Journal of Computer and System Sciences 18 (1979), pp. 143-154. 5. J. Kahn, N. Linial and A. Samorodnitsky, lnclusion-exlusion: exact and approxi- mate, manuscript. 6. N. Linial and N. Nisan, Approximate inclusion-exlusion, Combinatorica 10, 1990, pp. 349-365. 7. F. J. MacWilliams and N. J. A. Sloane, The t heor y of error cor r ect i ng codes, North Holland, Amsterdam, 1977. 8. J. Naor and M. Naor, Small bias probability spaces: efficient constructions and ap- plications, SI AM J. on Computing, vol 22, 1993, pp. 838-856. 9. M. N. Wegman and J. L. Carter, New hash functions and their use in authentication and set equality, Journal of Computer and System Sciences 22, pp. 265-279 (1981). 12 Figure 5