Published in IET Information Security

Received on 27th March 2008

Revised on 4th July 2008
doi: 10.1049/iet-ifs:20080066
ISSN 1751-8709
Colour visual cryptography schemes
F. Liu
1,
*
C.K. Wu
1
X.J. Lin
2
1
The State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190,
Peoples Republic of China
2
Computer Science and Technology, Ocean University of China, Qingdao 266100, Peoples Republic of China
*
Graduate University of Chinese Academy of Sciences, Beijing 100190, Peoples Republic of China
E-mail: [email protected]
Abstract: Visual cryptography scheme (VCS) is a kind of secret-sharing scheme which allows the encryption of a
secret image into n shares that are distributed to n participants. The beauty of such a scheme is that, the
decryption of the secret image requires neither the knowledge of cryptography nor complex computation.
Colour visual cryptography becomes an interesting research topic after the formal introduction of visual
cryptography by Naor and Shamir in 1995. The authors propose a colour (k, n)-VCS under the visual cryptography
model of Naor and Shamir with no pixel expansion, and a colour (k, n)-extended visual cryptography scheme
((k, n)-EVCS) under the visual cryptography model of Naor and Shamir with pixel expansion the same as that of
its corresponding black and white (k, n)-EVCS. Furthermore, the authors propose a black and white (k, n)-VCS
and a black and white (k, n)-EVCS under the visual cryptography model of Tuyls. Based on the black and white
schemes, the authors propose a colour (k, n)-VCS and a colour (k, n)-EVCS under the same visual cryptography
model, of which the pixel expansions are the same as that of their corresponding black and white (k, n)-VCS and
(k, n)-EVCS, respectively. The authors also give the experimental results of the proposed schemes, and compare
the proposed scheme with known schemes in the literature.
1 Introduction
The formal denition of visual cryptography was rst
introduced by Naor and Shamir. The idea of the visual
cryptography model proposed in [1] is to split an image
into two random shares (printed on transparencies) which
separately reveal no information about the original secret
image other than the size of the secret image. The image
is composed of black and white pixels. The original
image can be recovered by superimposing the two shares.
The underlying operation of this visual cryptography model
is OR.
A similar model of visual cryptography has been proposed,
such as the visual cryptography model studied in [2, 3]. This
new visual cryptography model utilised the polarisation of the
light, which could realise the XOR operation, and had good
colour, resolution and contrast properties.
The colour visual cryptography scheme (VCS) under the
visual cryptography model of Naor and Shamir has been
studied by many researchers [418]. The rst approach to
realise colour VCS is to print the colours in the secret
image on the transparencies directly. The expected colour
appears through hiding the colours by using a special black
colour, or through showing the mixed colour according to
the subtractive and additive colour models, see examples in
[4, 5, 8, 10, 1418]. Unfortunately, this approach has the
following disadvantages. First, this approach often
generates colour VCS with large pixel expansion. For
example, the pixel expansion of the (k, n)-VCS in [16] is
q
k1
, where q ! c, and that in [18] is cm, and that in [15]
is dlog cem, and that in [5] is c
n
k

2
k2
, where c is the
number of colours and m is the pixel expansion of the
corresponding black and white (k, n)-VCS that applied as
the building blocks. Secondly, this approach can only
represent a small number of colours, the reason being that
the pixel expansion of the colour VCS generated by this
approach is related to the number of colours in the
recovered secret image, and the pixel expansion grows
rapidly when the number of colours in the recovered secret
image increases. Hence, given a reasonable pixel expansion
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 151
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org

in the practical sense (which cannot be too large), the
recovered secret image can only represent a small number
of colours. Thirdly, the colour model of this approach
assumes that the stacking of pixels with the same colour
will result in a pixel that has the same colour (such an
assumption is used to simplify the constructions). However,
it is not true. The stacking of some lighter pixels will result
in a darker pixel. For example, the stacking of two red
pixels will result in a wine pixel different from the original
red pixel. This is the colour darkening phenomenon
because of stacking the pixels with the same colour.
The second approach to realise colour visual cryptography
is to convert a colour image into black and white images on
the three colour channels (red, green, blue or equivalently
cyan, magenta, yellow), respectively, and then apply the
black and white VCS to each of the colour channels. This
method can obtain smaller pixel expansion, but requires the
halftone process, which decreases the quality of the secret
image and which often results in the expansion of the input
images. Examples can be found in [6, 7, 9, 13].
The third approach to realise colour visual cryptography is
proposed by Lukac and Plataniotis [12]. Their method can
recover the secret image perfectly and requires only little
computation. Their method utilises the binary
representation of the colour of a pixel and encrypts the
secret image at the bit-level. However, the method has
pixel expansion m and needs the assistance of computing
devices for decrypting, and can only be applied under the
visual cryptography model of Naor and Shamir; the colour
extended visual cryptography scheme (EVCS) was not
considered, and the denition of EVCS can be found in
Section 2.3.
The colour VCS under the visual cryptography model of
Tuyls is attractive since it has good colour, resolution and
contrast properties. For example, the (n, n)-VCS under the
visual cryptography model can recover the secret image
perfectly. However, the colour VCS for general (k, n)
access structure has not been studied, not to mention the
colour EVCS. This paper tries to construct a general colour
(k, n)-VCS and a colour (k, n)-EVCS under the visual
cryptography model of Tuyls.
The main idea of our construction in this paper for colour
(k, n)-VCS and colour (k, n)-EVCS is that, for each pixel in
the secret image, we rst represent its colour by binary bits
with several bit-levels. Then, we encrypt the bits at each
bit-level by applying the corresponding black and white
VCS and EVCS, where a corresponding VCS (resp.
EVCS) is the VCS (resp. EVCS) that has the same access
structure and under the same visual cryptography model.
Briey, the contributions of this paper are as follows.
In Section 3, we propose a colour (k, n)-VCS and a colour
(k, n)-EVCS under the visual cryptography model of Naor
and Shamir. Both the schemes do not require the halftone
process. The colour (k, n)-VCS does not have pixel
expansion. The pixel expansion of the colour (k, n)-EVCS
is the same as that of the corresponding black and white
(k, n)-EVCS. In Section 4, we rst propose a black and
white (k, n)-VCS and a black and white (k, n)-EVCS
under the XOR operation, that is, under the visual
cryptography model of Tuyls, and then based on the black
and white schemes we propose a colour (k, n)-VCS and a
colour (k, n)-EVCS under the visual cryptography model
of Tuyls, where both of the colour schemes do not require
the halftone process and have the same pixel expansion of
their corresponding black and white (k, n)-VCS and (k, n)-
EVCS, respectively.
Compared with the known results in the literature, the
advantages of our constructions are as follows. First,
compared with the rst approach of realising colour VCS
[5, 6, 8, 10, 11, 1518], the pixel expansion of our
constructions is small, and our constructions have the
ability to represent all colours. Our colour model also
considers the colour darkening phenomenon when stacking
the pixels with the same colour, which makes our
constructions more practical. Second, compared with the
second approach of realising colour VCS [6, 7, 9, 13], our
constructions do not need the halftone process while
maintaining small pixel expansion. Third, compared with
the third approach of realising colour VCS [12], our
constructions do not need the assistances of computing
devices. Furthermore, compared with the constructions in
[6, 9, 13], our constructions can generate VCS and EVCS
for general (k, n) threshold access structure, and the
construction in [6, 9, 13] only generated VCS or EVCS
for specic access structures, for example the (2, 2) and
(2, n) access structure. Explicit comparisons about our
construction and the known results in the literature can be
found in Section 5.
The rest of this paper is organised as follows. In Section 2,
we give some preliminary results about VCS including the
description of the visual cryptography model of Tuyls, the
denition of VCS and EVCS, the basis principles of colour
models and the multi-pixel encryption method. In Section
3, we propose some constructions of colour (k, n)-VCS and
colour (k, n)-EVCS under the visual cryptography model
of Naor and Shamir. In Section 4, we propose the
constructions of colour (k, n)-VCS and colour (k, n)-
EVCS under the visual cryptography model of Tuyls. In
Section 5, we give the comparisons of the proposed
constructions and the constructions in the literature.
Section 6 concludes the paper.
2 Preliminaries
2.1 Visual cryptography model of Tuyls
Tuyls et al. [2, 3] proposed a new physical system for VCS,
which can realise the XOR operation. Their main idea is to
insert a new liquid crystal (LC) layer into a liquid crystal
152 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165
& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066
www.ietdl.org

display (LCD) that already has an LC layer. Thus, such a
system contains ve layers which are the back-light, the
rst polariser, the rst LC layer, the second LC layer and
the second polariser. Depending on the voltage that is
applied to an LC cell, this LC cell will rotate the
polarisation of the light that enters it to a certain angle.
The angle rotated by the cell of the rst LC layer is
denoted as a
1
[ [0, p] and that by the cell of the second
LC layer as a
2
[ [0, p]. Then, the total angle rotated by
the two LC layers is denoted as a a
1
a
2
. The second
polariser emits the same light of the rst polariser. Let I
r
denote the normalised intensity of the recovered pixel
[2, 3], then we have
I
r
(a) cos
2
a cos
2
(a
1
a
2
)
When a
1
, a
2
[ f0, p/2g, since cos(p) cos(0) 1, the
system forms a black and white visual cryptography model
with an underlying operation of XOR.
As LC layers can be driven electronically (as in LCDs), the
key can be easily updated (using pseudo random number
generators), which leads to a practical updating mechanism.
Finally, the decryption display will be rather simple, it is
only equipped with simple dedicated hardware such as a
pseudo random number generator and a storage device, and
having interaction with the untrusted communication
device, which is purely optical. These traits make this
system practical [2, 3].
2.2 Denition of VCS
In general, a (k, n)-VCS divides a secret image into n shares,
which are distributed to n participants. Any k out of n shares
can recover the secret image, but any less than k shares do not
have any information about the secret image other than the
size of the secret image. Besides, a colour (k, n)-VCS
should assume that the secret image, the shares and the
recovered secret image are all colourful.
Because all the constructions of colour VCS of this study
take their corresponding black and white VCS as building
blocks, in this section, we will give some denitions about
the black and white VCS, where we denote a black pixel by
1 and a white pixel by 0.
For a vector v [ GF
m
(2), we denote the Hamming weight
of the vector v by w(v). A black and white (k, n)-VCS,
denoted by (C
0
, C
1
), consists of two collections of n m
binary matrices, C
0
and C
1
. To share a white (resp. black)
pixel, a dealer (the one who sets up the system) randomly
chooses one of the matrices in C
0
(resp. C
1
) and distributes
its rows (shares) to the n participants of the scheme. More
precisely, we give a formal denition of the black and white
(k, n)-VCS as follows, where we use a dot () operation to
denote an OR or XOR operation in a VCS.
Denition 1: Let k, n, m and h be non-negative integers
satisfying 2 k n and 0 , h m. The two collections of
n m binary matrices (C
0
, C
1
) constitute a black and
white (k, n)-VCS if there exists a value a (. 0) satisfying:
1. (contrast) for any s [ C
0
, the operation of any k out of
the n rows of s is a vector v that satises w(v) h 2am.
2. (contrast) for any s [ C
1
, the operation of any k out of
the n rows of s is a vector v that satises w(v) ! h.
3. (security) for any i
1
, i
2
, , i
t
in{1, 2, . . . , n} with
t , k, the two collections of t m matrices D
j
, j 0, 1,
obtained by restricting each n m matrix in C
j
, j 0, 1,
to rows i
1
, i
2
, . . . , i
t
, are indistinguishable in the sense that
they contain the same matrices with the same frequencies.
Note: in the above denition,
1. v is the resulting vector of the restricted k out of the n rows
under the operation . The notation stands for the
operation OR or XOR for the black and white VCS, and
for colour VCS, the underlying operation of this study will
be dened in Section 2.4.
2. m is the pixel expansion of the scheme.
3. a is called the contrast of the scheme.
In Denition 1, the rst two contrast conditions ensure
that the stacking of k out of n shares can recover the secret
image. The security condition ensures that, any less than k
shares cannot obtain any information about the secret
image other than its size.
We consider VCS where C
0
and C
1
are constructed from a
pair of n m matrices M
0
and M
1
, which are called basis
matrices. The set C
i
(i 0, 1) consists of the m! matrices
obtained by applying all permutations to the columns of
M
i
. This approach of VCS construction will have small
memory requirements (it only keeps the basis matrices) and
high efciency [to choose a matrix in C
0
(resp. C
1
), it only
needs to generate a permutation of the basis matrix].
In this paper, we denote P(M
i
) as a random column
permutation of M
i
. We will use the basis matrices to
simplify the discussions.
2.3 Denition of EVCS
In general, a (k, n)-EVCS takes a secret image and n original
share images as inputs, and outputs n shares that satisfy the
following three conditions: rst, any k out of n shares can
recover the secret image; secondly, any less than k shares
cannot obtain any information about the secret image other
than the size of the secret image; and thirdly, all the shares
are meaningful images. Besides, a colour (k, n)-EVCS
should full the condition that the secret image, the
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 153
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org

original share images, the shares and the recovered secret
image are all colourful.
Because all the constructions of colour EVCS of this study
take their corresponding black and white EVCS as building
blocks, in this section, we will give some denitions about
the black and white EVCS. Note that, for the black and
white EVCS, the colour of a pixel only has two possible
values black and white.
We denote C
c
1
;...;c
n
c
as the collections of matrices from
which the dealer chooses a matrix to encrypt, where
c, c
1
, . . . , c
n
[ {1, 0}. For i 1, . . . , n, c
i
is the colour of
the pixel on the ith original share image, and c is the colour
of the secret image. Hence, to realise a black and white (k,
n)-EVCS, we have to construct 2
n
pairs of such collections
(C
c
1
;...;c
n
0
, C
c
1
;...;c
n
1
), one for each possible combination of
white and black pixels in the n original share images. A
black and white (k, n)-EVCS is dened as follows.
Denition 2 ([1]): A family of 2
n
pairs of collections
of n m
0
binary matrices {(C
c
1
,...,c
n
0
, C
c
1
,...,c
n
1
)}
c
1
,...,c
n
[{1,0}
,
constitute a black and white (k, n)-EVCS if there exist
values a
F
(. 0), a
S
(. 0) and h satisfying:
1. (contrast) for any M [ C
c
1
;...;c
n
0
, the operation of any k
out of n rows of M is a vector v that satises
w(v) (h a
F
m
0
), and for any M [ C
c
1
;...;c
n
1
, we have
w(v) ! h.
2. (security) for any i
1
, i
2
, , i
t
in{1, 2, . . . , n} with
t , k, the two collections of t m
0
matrices D
c
1
,...,c
n
j
, j
0, 1, obtained by restricting each n m
0
matrix in C
c
1
;...;c
n
j
to rows i
1
, i
2
, . . . , i
t
, are indistinguishable in the sense that
they contain the same matrices with the same frequencies.
3. (contrast) after the original share images are encrypted,
the shares are still meaningful. Formally, for any
i [{1, 2, . . . , n} and any c, c
1
, . . . , c
i1
, c
i1
, . . . , c
n
[{0, 1},
with the ith row of M denoted as M[i], we have
min
M[M
1
w(M[i]) max
M[M
0
w(M[i]) !a
S
m
0
where
M
1

[
c,c
1
,...,c
n
[{0,1}
C
c
1
,...,c
(i1)
1c
(i1)
,...,c
n
c
and
M
0

[
c,c
1
,...,c
n
[{0,1}
C
c
1
,...,c
(i1)
0c
(i1)
,...,c
n
c
In the above Denition 2, m
0
is the pixel expansion of the
black and white (k, n)-EVCS. a
F
and a
S
are the contrast
of the recovered secret image and that of the shares,
respectively.
Similarly, as discussed in Section 2.2, we consider EVCS
where C
c
1
,...,c
n
c
(c, c
1
, . . . ,c
n
[ {0, 1}) are constructed from the
n m
0
basis matrices S
c
1
,...,c
n
c
. The set C
c
1
,...,c
n
c
consists of
the m
0
! matrices obtained by applying all permutations to
the columns of S
c
1
,...,c
n
c
. Denote P(S
c
1
,...,c
n
c
) as a random
column permutation of S
c
1
,...,c
n
c
.
In Denition 2, the rst and second conditions correspond
to the contrast and security conditions of Denition 1, and
the third condition implies that the original share images
are not modied, that is, after we encrypt the n original
images by using the 2
n
pairs of collections
{(C
c
1
,...,c
n
0
, C
c
1
,...,c
n
1
)}, where c
1
, . . . , c
n
[ {0, 1}, the
encrypted shares are still meaningful.
Naor and Shamir rst mentioned a simple example of black
and white EVCS in [1], that is, each share carries a meaningful
image rather than a noise image. Droste [19] proposed a new
black and white EVCS that not only encrypts the shares with
meaningful images but also decrypts different secret images by
stacking different combinations of shares. Ateniese et al. [20]
have formalised the framework of black and white EVCS for
general access structures. All of the above schemes are under
the visual cryptography model of Naor and Shamir that is,
under the operation OR. However, for the general black and
white (k, n)-EVCS under the visual cryptography model of
Tuyls [2, 3], that is, under the operation XOR, there are no
such constructions. In Section 4.2, we propose a black and
white (k, n)-EVCS under the XOR operation that is under
the visual cryptography model of Tuyls. Also, based on the
black and white (k, n)-EVCS, we propose a colour (k, n)-
EVCS under the visual cryptography model of Tuyls in
Section 4.3.
2.4 Basic principles of colour models
The additive and subtractive colour models are widely used to
describe the constitutions of colours. In the additive colour
model, the three primary colours are red, green and blue
(RGB), with desired colours being obtained by mixing
different RGB channels. By controlling the intensity of red
(resp. green or blue) channel, we can modulate the amount
of red (resp. green or blue) in compound light. The more
the mixed-coloured light, the more is the brightness of the
light. Mixing the red, green and blue channels of equal
intensities, results in white colour light. The computer
screen is a good example of the additive colour model. In
the subtractive colour model, the colour is represented by
applying the combinations of coloured light reected from
the surface of an object (because most objects do not radiate
by themselves). For example take an apple under natural
light; the surface of the apple absorbs the green and blue
parts of the natural light and reects the red light to human
eyes and, thus, it becomes a red apple. By mixing cyan (C)
with magenta (M) and yellow (Y) pigments, we can
produce a wide range of colours. The more the pigment
added, the lower is the intensity of the light is, and thus the
darker is the light. This is why it is called the subtractive
model. C, M and Y are the three primitive colours of
pigment, which cannot be composed from other colours.
154 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165
& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066
www.ietdl.org

In the computer, a natural colour image can be divided into
three colour channels: red, green and blue (or equivalently
cyan, magenta and yellow), and each channel will constitute
a grey-level image, where each pixel can be represented by a
binary value of 8 bits. Denote x
(p,q)
[x
(p,q)1
, x
(p,q)2
, x
(p,q)3
]
as the colour of a pixel located at the position ( p, q) of a
colour image of size K
1
K
2
for p 1, 2, . . . , K
1
and
q 1, 2, . . . , K
2
. Let t describe the colour channel (e.g.
t 1 for red, t 2 for green and t 3 for blue) and the
colour component x
(p,q)t
is coded with a binary value of
8-bits allowing x
(p,q)t
to be an integer value between 0 and
2
8
21 255 and, hence, the colour of the pixel x
(p,q)
can
be expressed in a binary form as follows
x
(p,q)

X
8
i1
x
i
(p,q)
2
8i
where x
i
(p,q)
[x
i
(p,q)1
, x
i
(p,q)2
, x
i
(p,q)3
] [ {0, 1}
3
denote the
binary vector at the ith bit-level, with i 1 denoting the
most signicant bit and i 2 denoting the second most
signicant bit. In such a way, a natural colour image is
divided into 24 binary images.
By the grey level of a pixel, we mean the darkness of the
pixel appears for each colour channel. In this study, we
divide the distance between a black and a white pixel, for
each colour channel, into 256 grey levels. Dene the grey
level 0 for a complete white pixel, and the grey level 255 for
a complete black pixel. Note that this denition of black and
white pixels is just the opposite to their traditional
denitions on computer. Under this denition, the 1s and
0s in the binary representation of the grey level correspond
to black and white bits, respectively, which is consistent with
their traditional denitions in visual cryptography.
Because we divide 256 grey levels for each colour channel,
each colour channel can be expressed by a binary vector of
8 bits. To construct such a colour VCS, different bit-levels
should be assigned with different grey levels in order to
represent the target colour (grey level). For example, we can
print a pixel with a grey level a
1
for the most signicant bit,
and a
2
for the second most signicant bit under the visual
cryptography model of Naor and Shamir. For the VCS
under the visual cryptography model of Tuyls, we rotate
through an angle (a
1
/256
.
p/2) for the most signicant bit,
and through (a
2
/256
.
p/2) for the second most signicant
bit and so on, where a
i
[ [0, 255], for i [ f1, . . . , 8g.
Then, we show the principles of the colour
superimposition for the visual cryptography model of Naor
and Shamir and those of Tuyls, respectively. To simplify
the discussion, we take one colour channel as an example.
First, for the visual cryptography model of Naor and
Shamir, the basic principle of the colour by superimposing
two pixels is dened as follows: for a pixel with a grey
level a
i
and a pixel with a grey level a
j
, the grey level of
the result pixel by stacking the two pixels will be
(255 2((255 2a
i
)(255 2a
j
)/255)). This denition of
colour superimposition is widely accepted: see the examples
in [5]. (Note that our representation of that grey level of
the resulting pixel is different from that in [5], the reason
being that we dene the grey level 255 as the black pixel
and grey level 0 as the white pixel, whereas the denition
in [5] is just the opposite. It is easy to verify that our
representation is equivalent to that in [5]).
Secondly, for the visual cryptography model of Tuyls, the
basic principle of the colour by superimposing the shares is
dened as follows: for a pixel with a grey level a
i
and a
pixel with a grey level a
j
, which are realised by rotating the
angles (a
i
/256
.
p/2) and (a
j
/256
.
p/2) for the rst and
the second LC layers, respectively, the grey level of the
superimposition of the two pixels will be a
i
a
j
, which is
realised by rotating through an angle (a
i
a
j
)=256 p=2.
2.5 Multi-pixel encryption method
In most cases, the encryption of the VCS causes the
expansion of the shares, which will lower the resolution of
the recovered secret image and enlarge the storage of the
shares. Ito et al. [21] and Yang [22] propose a method that
encrypts a pixel by randomly choosing a column in the
basis matrix; this method results in no pixel expansion.
Unfortunately, the recovered secret image appears to be a
clutter; many noise-like pixels appear in the recovered
secret image. To mitigate this phenomenon, Hou and TU
proposed a new method in [7], which encrypts a block of
m pixels at a time. This method results in no pixel
expansion and has a better visual effect in the recovered
secret image than the method in [21, 22]. In this paper, we
make use of the multi-pixel encryption method to reduce
the pixel expansion of our colour VCS.
Denote M
0
and M
1
as the n m basis matrices for a black
and white (k, n)-VCS, which satisfy Denition 1. Denote b
as the number of the black pixels in a block of m pixels.
Denote e
b
as the number of blocks, with b black pixels,
which have already been encrypted. The multi-pixel
encryption method of [7] encrypts a block of m pixels at a
time and can be described as follows:
2.5.1 Algorithm 1 ([7]): Input: The secret image and the
basis matrices for a black and white (k, n)-VCS, M
0
and M
1
,
which have pixel expansion m.
Output: The shares S
i
for i 1, . . . , n.
Step 1: Set e
b
0 for b 1, 2, . . ., m;
Step 2: Pick up a block of m pixels, p
1
, p
2
, . . . , p
m
, in the
secret image, and denote b as the number of black pixels
among them;
Step 3: Put the m sub-pixels in the ith row of P(M) to the
corresponding positions of p
1
, p
2
, . . . , p
m
in the ith share
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 155
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org

for i 1, . . . , n, where P(M) is a random column
permutation of Mand the basis matrix Mis decided as follows
if e
b
mod m , b then M M
1
else M M
0
Step 4: Set e
b
e
b
1;
Step 5: Repeat the Steps 2, 3and4until all the pixels of the secret
image are encrypted and output the n shares S
i
for i 1, . . . , n.
For a block of m pixels that have b black pixels, Algorithm 1
shows a methodtoencrypt these mpixels withthe basis matrices
M
0
and M
1
, where M
0
contributes with a probability of b/m
and M
1
contributes with a probability of (m2b)/m exactly.
By such a method, the recovered secret image has a better
visual effect than the scheme in [21]; the experimental results
about the multi-pixel encryption can be found in [7]. An
example of Algorithm 1 can be found in Example 1.
The security of the multi-pixel encryption method has
been proved by Hou and Tu [7]; we refer to their result by
the following theorem:
Theorem 1 ([7]): Algorithm 1 generates n shares S
i
for i 1, . . . , n, where less than k out of these n shares
cannot obtain any information about the secret image other
than the size of the secret image.
Proof: According to Algorithm 1, each block of m pixels in
the secret image is encrypted by either P(M
0
) or P(M
1
), and
because M
0
and M
1
are the basis matrices of a black and
white (k, n)-VCS, which satises the security condition of
Denition 1, i.e. given any less than k shares, then it
cannot tell whether a block of m pixels in the secret image
is encrypted by P(M
0
) or P(M
1
), as both are equally likely.
Hence the conclusion of the theorem follows. A
Note that the multi-pixel encryption is a method to reduce
the pixel expansion while maintaining better visual effect.
However, for the encryption of a single pixel, the generated
shares do not satisfy the contrast conditions of Denition 1
since a white pixel may occasionally be wrongly represented
by a black pixel and vice versa.
3 Colour VCS and colour EVCS
under the visual cryptography
model of Naor and Shamir
Usually, a colour visual cryptography model has large pixel
expansion. In this section, we propose a construction of
colour (k, n)-VCS and a construction of colour (k, n)-EVCS
under the visual cryptography model of Naor and Shamir.
For the proposed colour (k, n)-VCS, the advantages of the
scheme are as follows: it takes a natural image as input, which
do not need the halftone process, and has no pixel expansion.
For the proposed colour (k, n)-EVCS, the advantages of this
scheme are as follows: it realises the colour (k, n)-EVCS with
pixel expansion m
0
for general access structures and does not
require the halftone process (recall that m
0
is the pixel
expansion of the corresponding black and white (k, n)-EVCS).
Construction 1 below constructs the colour (k, n)-VCS by
Steps 1, 2, 3 and 4, and constructs the colour (k, n)-EVCS by
Steps 1
0
, 2
0
, 3 and 4:
Construction 1: Constructions of the colour (k, n)-VCS and
the colour (k, n)-EVCS under the visual cryptography
model of Naor and Shamir:
Setup: Denote the n m matrices M
0
and M
1
as the basis
matrices of a corresponding black and white (k, n)-VCS
under the visual cryptography model of Naor and Shamir.
Denote the n m
0
matrices M
c
1
,...,c
n
c
as the basis matrices
of a corresponding black and white (k, n)-EVCS under the
visual cryptography model of Naor and Shamir, where
c, c
1
, . . . , c
n
[ {0, 1}. Denote a
j
as the grey level of 1s at
bit-level j, j [ f1, 2, . . . , 8g.
Output: The shares S
i
for i 1, . . . , n.
Step 1: Represent the grey levels of each colour channel (C, M
and Y, respectively) of all the pixels in the secret image by
vectors of 8 bits, that is, the secret image is divided into
8 bit-levels and each bit-level forms a binary image.
Step 1
0
: Represent the grey levels of each colour channel (C, M
and Y, respectively) of all the pixels in the secret image (resp.
the n original share images) by vectors of 8 bits, that is, the
secret image (resp. the n original share images) is divided
into 8 bit-levels and each bit-level forms a binary image.
Step 2: For each bit-level j and each colour channel, choose a
block of m pixels in the binary secret image, and encrypt the m
bits by applying Algorithm1 for the colour channels C, Mand
Y and bit-levels j [ {1, 2, . . . , 8}, respectively, in which
replace the 1s in M
0
or M
1
by the grey level a
j
and leave the
0s intact.
Step 2
0
: For each bit-level j and each colour channel, encrypt a
bit by P(M
c
1
,...,c
n
c
) for the colour channels C, M and Y and bit-
levels j [ {1, 2, . . . , 8}, respectively, in which P(M
c
1
,...,c
n
c
) is a
random column permutation of M
c
1
,...,c
n
c
and replace the 1s in
P(M
c
1
,...,c
n
c
) by the grey level a
j
and leave the 0s intact.
Step 3: Repeat the steps 1 and 2 (resp. 1
0
and 2
0
) until all the
pixels in the secret image have been encrypted. Then, we
obtain the shares s
1
i,t
, s
2
i,t
, . . . , s
8
i,t
where i [ {1, 2, . . . , n},
t [ {C, M, Y} and the share s
j
i,t
is denoted as the share for
the participant i at the bit-level j for the colour channel t.
Step 4: Each participant i is distributed with a share S
i
, where
S
i
is generated by stacking the shares at the different bit-levels
and of the different colour channels s
1
i,C
, s
2
i,C
, . . . , s
8
i,C
, s
1
i,M
,
s
2
i,M
, . . . , s
8
i,M
, s
1
i,Y
, s
2
i,Y
, . . . , s
8
i,Y
for i [ {1, 2, . . . , n}.
156 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165
& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066
www.ietdl.org

In Construction 1, Steps 1 and 1
0
divides the secret image
(resp. the n original shares images) into 8 bit-levels and three
colour channels. In fact, the colour images stored in the
computer, such as the bitmap image le, are of this format.
Then, in Steps 2, 2
0
and 3, we encrypt each bit-level and
colour channel, respectively. More specically, when we
encrypt the binary secret image at bit-level j by applying
the corresponding black and white (k, n)-VCS, for the bit-
level j, we print pixels with grey level a
j
for the 1s of M
0
,
M
1
and M
c
1
,...,c
n
c
, and leave the pixel intact for the 0s of
M
0
, M
1
and M
c
1
,...,c
n
c
. Then, we construct 24 shares in total
for each participant, that is, the shares s
1
i,C
, s
2
i,C
, . . . , s
8
i,C
,
s
1
i,M
, s
2
i,M
, . . . , s
8
i,M
, s
1
i,Y
, s
2
i,Y
, . . . , s
8
i,Y
. The nal shares for
the participants are constructed by superimposing the 24
shares in Step 4. One can easily observe that shares at the
bit-level j can recover the jth binary image (bit-level) of the
secret image visually. Thus, by superimposing the shares of
all the bit-levels, the original secret image appears visually
with all the bit-levels.
We need to point out that, taking the characteristic of the
human visual system into consideration, the dealer does not
need to generate all the shares for all the bit-levels, since
the information about a higher bit-level is not as important
as that of a lower bit-level for the human visual system,
that is, the dealer only generates the shares for several lower
bit-levels in the practical sense. In Examples 1 and 3, we
only generated the shares for the most and second most
signicant bit-levels.
In Step 2, Algorithm 1 encrypts a block of m pixels at a
time by using the m columns of the basis matrices, which
results in no pixel expansion. For general colour (k, n)-
VCS, one can make use of the basis matrices of the
corresponding black and white (k, n)-VCS proposed in
[1, 19, 23] and so on.
In Step 2
0
, because the encryption uses the n m
0
basis
matrix M
c
1
,...,c
n
c
, this later scheme results in the pixel
expansion m
0
, that is, the same as that of the corresponding
black and white EVCS. For general colour (k, n)-EVCS,
one can make use of the basis matrices of the corresponding
black and white (k, n)-EVCS proposed in [19, 20].
As for the security of Construction 1, according to
Denitions 1 and 2, and Theorem 1, we have the following
theorem:
Theorem 2: Construction 1 generates n shares S
i
for
i 1, . . ., n, where less than k out of n shares cannot get
any information about the secret image other than the size
of the secret image.
Proof: In Construction 1, the corresponding black and white
(k, n)-VCS and (k, n)-EVCS are used to encrypt the secret
bits at each bit-level and each colour channel, respectively,
that is, for a particular bit-level j (1 j 8) and a colour
channel X (X C, M, Y), the shares s
j
1,X
, s
j
2,X
, . . . , s
j
n,X
constitute a black and white (k, n)-VCS. Because of the
security conditions of Denitions 1 and 2 and Theorem 1,
any less than k out of n shares cannot obtain any
information about the secret image other than the size of the
secret image on the bit-level j and colour channel X, and
they cannot get any information about the secret image for
other bit-levels and colour channels either, since the
construction of the shares s
j
1,X
, s
j
2,X
, . . . , s
j
n,X
is irrelevant
to the information about the secret image on those bit-levels
and colour channels. By applying the above discussions to all
the bit-levels and colour channels, we have that any less than
k out of n shares cannot get any information about the secret
image other than the size of the secret image. A
For the colour VCS under the visual cryptography model
of Naor and Shamir, the 0s in the transparencies for all
bit-levels are intact (i.e. with grey level 0), and the 1s for
the bit-level j is assigned with grey level a
j
. Hence, the
distance between the 0s and 1s for bit-level j is a
j
. The
larger the value of a
j
, the more apparent is the difference
between black and white pixels at bit-level j. For two bit-
levels i and j, where i , j, they should satisfy a
i
. a
j
. For
example, the grey levels of the most and second most
signicant bits a
1
and a
2
should satisfy a
1
. a
2
, and the
larger the value of (a
1
2a
2
), the more apparent the most
signicant bits appear in the recovered secret image, and
vice versa. Hence, for different types of secret images, the
dealer should choose the grey levels carefully for different
applications.
An example of Construction 1 is as follows:
Example 1: For the construction of a colour (2, 2)-VCS by
Construction 1: let the basis matrices used in Algorithm 1 of
the corresponding black and white (2, 2)-VCS be
M
0

10
10
!
and M
1

10
01
!
, where the pixel expansion
is m 2. To simplify the example, we take a secret image
with only two bit-levels as example, that is, each pixel only
has the most and second most signicant bits for each colour
channel. In such case, the grey levels of each colour channel
only have the four values 192, 128, 64 and 0. Let the
parameters of Algorithm 1 be e
0
0, e
1
0 and e
2
0 for
the most signicant bit-level and e
0
0
0, e
0
1
0 and e
0
2
0
for the second most signicant bit-level. We take the
encryption of a block of 2 pixels with the grey levels 192 and
128 as example. We come to know that the most signicant
bits of the two pixels are 1, 1. Because (e
2
mod m) (0 mod
2) 0 , 2, we encrypt the two bits by P(M
1
), where we
replace the 1s in M
1
by the grey level a
1
and leave the 0s in
P(M
1
) intact; then, we set e
2
1. Then, the second most
signicant bits are 1, 0. Because (e
1
0
mod m) (0 mod
1) 0 , 1, we encrypt the two bits by P(M
1
), where we
replace the 1s in M
1
by the grey level a
2
and leave the 0s in
P(M
1
) intact; then, we set e
0
1
1. By encrypting all the
blocks in the secret image, we obtain six shares for each
participant i as S
1
i,C
, S
2
i,C
, S
1
i,M
, S
2
i,M
, S
1
i,Y
and S
2
i,Y
. By
stacking the six shares, we obtain the nal share S
i
for
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 157
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org

participant i. Fig. 1 shows the experimental results of the colour
(2, 2)-VCS, where we set the grey levels a
1
128 and a
2
64.
Similarly, for the construction of colour (2, 2)-EVCS by
Construction 1: let the basis matrices of the corresponding
black and white (2, 2)-EVCS be the second example in
Example 2 in Section 4.2, where the pixel expansion is
4. Also, let the secret image and the original share images
only have two bit-levels for each colour channel. For the
encryption of a pixel where the grey levels of the secret image
and the two original share images are 192, 128 and 64, the
most signicant bits of the pixel in the three images are 1, 1,
0. Hence, we encrypt the most signicant bit of this pixel by
P(S
1
10
). Similarly, we encrypt the second most signicant
bits of this pixel by P(S
1
01
), where we replace the 1s in
P(S
1
10
) and P(S
1
01
) by the grey levels a
1
and a
2
, respectively.
By encrypting all the pixels in the secret image, we obtain
six shares for each participant i as S
1
i,C
, S
2
i,C
, S
1
i,M
,
S
2
i,M
, S
1
i,Y
and S
2
i,Y
. By stacking the six shares, we obtain the
nal share S
i
for participant i. Fig. 2 shows the experimental
results of the colour (2, 2)-EVCS, where we set the grey
levels a
1
180 and a
2
65.
Under the ideal subtractive colour model, the stacking of
the qualied colour shares can recover the secret image
visually. However, such an ideal subtractive colour mixture
is impractical because of the properties of the ink. To
alleviate this phenomenon, we propose to divide the colour
into three channels C, M and Y, and print each channel of
the colour on adjacent pixels, respectively. Superimposition
of the same colour channel results in better visual effect.
However, this method will expand the output images three
times.
4 Colour VCS and colour EVCS
under the visual cryptography
model of Tuyls
In Sections 4.1 and 4.2, we rst propose a black and white
(k, n)-VCS and a black and white (k, n)-EVCS under the
XOR operation as primary building blocks for our further
constructions. Based on that, we then propose a colour
(k, n)-VCS and a colour (k, n)-EVCS under the visual
cryptography model of Tuyls, where both of the colour
schemes do not require the halftone process and have the
same pixel expansion of their corresponding black and
white (k, n)-VCS and (k, n)-EVCS, respectively.
4.1 Black and white (k, n)-VCS under the
visual cryptography model of Tuyls
Droste [19] proposed an algorithm to construct (k, n)-VCS
under the OR operation, that is, under the visual
cryptography model of Naor and Shamir. In this section,
we will prove that the basis matrices constructed by that
algorithm is also a (k, n)-VCS under the XOR operation,
that is under the visual cryptography model of Tuyls.
Drostes algorithm can be described as follows.
First, we give a sub-routine ADD( p, M) which is used to
add each restriction of k rows of a matrix M every column
with p 1s by adding columns to the entire matrix M,
where a matrix is considered as a collection of columns.
ADD(p,M): 1: If p k 2p, add all the columns with q p
1s to M, that is, the number of columns of M is increased
by
n
q

.
2: If p ! k p, add all the columns with q p n k 1s to
M, that is, the number of columns of M is increased by
n
q

.
The sub-routine ADD( p, M) makes it easy to construct
basis matrices M
0
(resp. M
1
) whose restrictions to k rows
always contain every even (resp. odd) column (an even
column is a one that contains even number of 1s; an odd
column is one that contains odd number of 1s). When
every even (resp. odd) column is removed once from every
restriction of M
0
(resp. M
1
), the remaining columns
maintain the same, i.e., those remaining columns are
unchanged regardless which k rows are restricted, and
whether they are from M
0
or M
1
. Hence, the remaining
columns of every restriction of M
0
, which are not
remaining columns of every restriction of M
1
, called the
rest of M
0
, have to be added to every restriction of M
1
and
Figure 1 Experimental results of the colour (2, 2)-VCS with
no pixel expansion under the visual cryptography model of
Naor and Shamir
a Original secret image
b Resulting image by superimposing Figs. 1c and 1d
c Encrypted shares
d Encrypted shares
Size of the secret image is 256 256
158 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165
& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066
www.ietdl.org

vice versa. In most cases, these added columns will create new
rests which cause new columns to be added. The algorithm
has the following form:
4.1.1 Algorithm 2 ([19]): Input: The parameters k and
n, and two empty basis matrices M
0
and M
1
, where the
basis matrices M
0
and M
1
are considered as collections of
columns;
Output: The basis matrices M
0
and M
1
for a (k, n)-VCS;
Step 1: For all even p [ {0, . . . , k}, call ADD( p, M
0
);
Step 2: For all odd p [ {0, . . . , k}, call ADD( p, M
1
);
Step 3: While the rests of M
0
and M
1
are not empty:
(a) Add to M
0
all columns adjusting the rest of M
1
by calling
ADD.
(b) Add to M
1
all columns adjusting the rest of M
0
by calling
ADD.
Execute the Step 3 until the rests of M
0
and M
1
are empty.
Then, we show that Algorithm 2 also generates a (k, n)-
VCS under the XOR operation, that is under the visual
cryptography model of Tuyls.
Theorem 3: Algorithm 2 generates the basis matrices of a
(k, n)-VCS, M
0
and M
1
, under the XOR operation.
Proof: We need to prove that the basis matrices M
0
and M
1
satisfy the contrast and security conditions of Denition 1.
First, for the contrast condition, we need to prove that the
Hamming weight of the stacking (XOR operation) of any k
out of n rows of M
0
is less than that of M
1
.
Denote M
0
k
(resp. M
1
k
) as the sub-matrix generated by
restricting to arbitrary k rows of M
0
(resp. M
1
). According
to the Steps 1 and 2 in Algorithm 2, it is clear that all the
even (resp. odd) columns appear in M
k
0
(resp. M
k
1
). Denote
I
k
0
(resp. I
k
1
) as the matrix whose columns are all the even
(resp. odd) columns of length k. Because Algorithm 2
terminates when the rests of M
0
and M
1
are empty, at
implies that the remaining columns of M
0
and M
1
are the
same, that is, M
k
0
nI
k
0
M
k
1
nI
k
1
. Denote R as the remaining
columns of M
0
and M
1
, we have M
k
0
I
k
0
<R and
M
k
1
I
k
1
<R. Because the XOR (operation) of the entries
of an even (resp. odd) column is 0 (resp. 1), we have that
the Hamming weight of the stacking (XOR operation) of
the rows of M
k
0
is less than that of M
k
1
. Hence, the
contrast condition is satised.
Secondly, for the security condition, we need to prove
that the sub-matrices of any less than k rows of M
0
and
Figure 2 Experimental results of the colour (2, 2)-EVCS with pixel expansion of 4 under the visual cryptography model of Naor
and Shamir
a Original two share image
b Original two share image
c Original secret image
d Encrypted shares
e Encrypted shares
f Resulting image by superimposing the shares Figs. 2d and 2e
Size of the secret image is 200 200
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 159
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org

M
1
have the same columns, and only in such a case, all
the column permutations of the two sub-matrices will
generate the same collection, that is, the security condition
is satised.
Denote M
t
0
(resp. M
t
1
) as the sub-matrix generated by
restricting to arbitrary t rows of M
0
(resp. M
1
), where
t , k. Denote M
k
0
(resp. M
k
1
) as the sub-matrix generated
by concatenating M
t
0
(resp. M
t
1
) and arbitrary k 2t
rows chosen from the remaining rows of M
0
(resp. M
1
)
(other than the rows in M
t
0
and M
t
1
). As discussed above,
we have M
k
0
I
k
0
<R and M
k
1
I
k
1
<R, where I
k
0
(resp.
I
k
1
) is the matrix that contains all the even (resp. odd)
columns of length k. Note that I
k
0
and I
k
1
are the basis
matrices of a (k, k)-VCS proposed in [1, 19]. We have that
the sub-matrices generated by restricting to any t rows of
I
k
0
and I
k
1
have the same columns. Hence, the sub-matrices
generated by restricting to any t rows of M
k
0
and M
k
1
have
the same columns, that is, the security condition is
satised. A
4.2 Black and white (k, n)-EVCS under the
visual cryptography model of Tuyls
In this section, we propose a black and white (k, n)-EVCS
under the visual cryptography model of Tuyls, that is under
the XOR operation, as follows:
Algorithm 3: Denote S
c
1
;...;c
n
c
as the basis matrix for that the
n original share images have colour c
1
; . . . ; c
n
and the secret
image has colour c for c
1
; . . . ; c
n
, c [ {0, 1}. Denote the
binary matrices M
0
and M
1
as the basis matrices of a
black and white (k, n)-VCS under the operation XOR,
where all the rows of M
0
(resp. M
1
) have the same
Hamming weight. Denote a as its contrast and m as its
pixel expansion.
Step 1: Construct an n l matrix D as follows (l is an integer
satisfying 1 l , am):
For i 1 to n do
{
If c
i
1 then setall the entries of row i in D to 1:
Else setall the entries of row i in D to 0:
}
Step 2: The basis matrices S
c
1
;...;c
n
c
are obtained by
concatenating the matrix D with M
0
and M
1
that is
S
c
1
;...;c
n
c

[M
0
, D], if c 0
[M
1
, D], if c 1
&
where the notation [M, D] means the concatenation of the
two matrices M and D.
It is easy to verify that the above construction generates a
general black and white (k, n)-EVCS under the operation
XOR, and the basis matrices M
0
and M
1
can be the basis
matrices constructed in Section 4.1 and [24]. If a
.
m 1
holds, then, we can replace M
0
and M
1
by the matrices
[M
0
, M
0
] and [M
1
, M
1
], respectively. Note that, the basis
matrices generated in Section 4.1 always satisfy am . 1;
hence, we can let l 1 for any access structure. In fact,
Algorithm 3 is not restricted to threshold EVCS only; it
can be applied to the general access structure EVCS given
that M
0
and M
1
are the basis matrices of the general access
structure VCS. Because of the lack of VCS for the general
access structure, this paper only considers the threshold
access structure for the case of EVCS. However, if such a
VCS of the general access structure exists, then our
approach can be applied to generate the corresponding
EVCS under the operation XOR directly.
Formally, we have the following theorem:
Theorem 4: Algorithm 3 generates the basis matrices
S
c
1
;...;c
n
c
for a black and white (k, n)-EVCS under the
operation XOR, where c, c
1
; . . . ; c
n
[ {0, 1}.
Proof: We need to prove that the basis matrices S
c
1
;...;c
n
c
satisfy the three conditions of Denition 2.
For the condition 1 of Denition 2: according to
Algorithm 3, the pixel expansion of S
c
1
;...;c
n
c
is m
0
m l.
Because M
0
and M
1
are basis matrices of the
corresponding VCS, we have that the Hamming weight of
the stacking results of any k out of n rows of
S
c
1
...c
n
0
[M
0
, D] is at most h am l and that of
S
c
1
...c
n
1
[M
1
, D] is at least h. Hence
a
F

(h) (h am l )
m l

(am l )
m l
. 0
For the condition 2 of Denition 2: because M
0
and M
1
are
basis matrices of the corresponding (k, n)-VCS, and S
c
1
;...;c
n
0
and S
c
1
;...;c
n
1
are generated by concatenating the same matrix
D to M
0
and M
1
, and noting that C
c
1
;...;c
n
0
and C
c
1
;...;c
n
1
are
the collections of all the permutations of S
c
1
;...;c
n
0
and
S
c
1
;...;c
n
1
, respectively, C
c
1
;...;c
n
0
and C
c
1
;...;c
n
1
satisfy the security
condition 2 of Denition 2.
For the condition 3 of Denition 2: because all the rows
of M
0
(resp. M
1
) have the same Hamming weight, by
concatenating the matrix D, the difference between a white
pixel and a black pixel in the share image is l and, hence,
a
S
l =(m l ) . 0.
In light of the above discussion, the theorem is proved. A
Two examples of black and white EVCS for the (2, 2)
access structure are as follows (for operations XOR and
OR, respectively):
Example 2: The rst example is a black and white (2, 2)-
EVCS under the visual cryptography model of Tuyls, that
160 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165
& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066
www.ietdl.org

is under the operation XOR
S
10
0

101
100
!
S
10
1

101
010
!
S
11
0

101
101
!
S
11
1

101
011
!
S
00
0

100
100
!
S
00
1

100
010
!
S
01
0

100
101
!
S
01
1

100
011
!
The second example is a black and white (2, 2)-EVCS under
the visual cryptography model of Naor and Shamir that is
under the operation OR
S
10
0

1101
1001
!
S
10
1

1101
1010
!
S
11
0

1101
1101
!
S
11
1

1101
1110
!
S
00
0

0101
1001
!
S
00
1

1010
0101
!
S
01
0

1010
1011
!
S
01
1

1010
0111
!
4.3 Colour VCS and colour EVCS
under the visual cryptography model
of Tuyls
The visual cryptography model of Tuyls is interesting for the
reasons of good resolution, contrast and colour properties.
The colour (n, n)-VCS on this visual cryptography model
can recover the secret image perfectly. However, there is no
known colour VCS for general (k, n)-VCS, not to mention
the colour EVCS under this visual cryptography model. In
this section, we propose the constructions of colour VCS
and colour EVCS under the visual cryptography model of
Tuyls.
The following construction constructs the colour (k, n)-
VCS by Steps 1, 2, 3 and 4, and constructs the colour
(k, n)-EVCS by Steps 1
0
, 2
0
, 3 and 4:
Construction 2: Constructions of the colour (k, n)-VCS and
the colour (k, n)-EVCS under the visual cryptography
model of Tuyls:
Setup: Denote the n m matrices M
0
and M
1
as the basis
matrices of a corresponding black and white (k, n)-VCS
under the visual cryptography model of Tuyls, and denote
the n m
0
matrices M
c
1
,...,c
n
c
as the basis matrices of a
corresponding black and white (k, n)-EVCS under the
visual cryptography model of Tuyls, where c, c
1
, . . . ,
c
n
[ {0, 1}. Denote a
j
as the grey level of 1s and b
j
as the
grey level of 0s at bit-level j.
Output: The shares S
i
for i 1, . . . , n.
Step 1: Represent the grey levels of each colour channel
(R, G and B, respectively) of all the pixels in the secret
image by vectors of 8 bits, that is, the secret image is
divided into 8 bit-levels, and each bit-level forms a binary
image.
Step 1
0
: Represent the grey levels of each colour channel
(R, G and B, respectively) of all the pixels in the secret
image (resp. the n original share images) by vectors of
8 bits, that is, the secret image (resp. the n original share
images) is divided into 8 bit-levels, and each bit-level forms
a binary image.
Step 2: For each bit-level j and each colour channel, encrypt a
bit by P(M
0
) and P(M
1
) for the colour channels R, G and B
and bit-levels j [ {1, 2, . . . , 8}, respectively, where P(M
0
),
P(M
1
) are the random column permutations of M
0
, M
1
,
and replace the 1s in P(M
0
), P(M
1
) by the grey level a
j
and the 0s by the grey level b
j
.
Step 2
0
: For each bit-level j and each colour channel, encrypt a
bit by P(M
c
1
,...,c
n
c
) for the colour channels R, G and B and bit-
levels j [ {1, 2, . . . , 8}, respectively, where P(M
c
1
,...,c
n
c
) is a
random column permutation of M
c
1
,...,c
n
c
, and replace the 1s
in P(M
c
1
,...,c
n
c
) by the grey level a
j
and the 0s by the grey
level b
j
.
Step 3: Repeat the steps 1 and 2 (resp. 1
0
and 2
0
) until all the
pixels in the secret image have been encrypted. Then, we
obtain the shares s
1
i,t
, s
2
i,t
, . . . , s
8
i,t
where i [ {1, 2, . . . ,
n}, t [ {R, G, B}, and the share s
j
i,t
is denoted as the
share for the participant i at the bit-level j for the colour
channel t.
Step 4: Each participant i is distributed with a share S
i
,
where S
i
is generated by stacking the shares at the
different bit-levels and of the different colour channels
s
1
i,R
, s
2
i,R
, . . . , s
8
i,R
, s
1
i,G
, s
2
i,G
, . . . , s
8
i,G
, s
1
i,B
, s
2
i,B
, . . . , s
8
i,B
for
i [ {1, 2, . . . , n}.
Construction 2 looks similar to Construction 1, except the
differences in the colour channels and the basis matrices M
0
,
M
1
and M
c
1
,...,c
n
c
. However, Construction 1 cannot be applied
properly under the visual cryptography model of Tuyls,
because of the differences on choosing the values of the
grey levels, which is caused by the different colour model.
For the case of the construction of the colour VCS under
the visual cryptography model of Naor and Shamir, we
only need to choose the grey levels for the 1s of each bit-
level, and leave the pixels of the 0s intact. However, for the
case under the visual cryptography model of Tuyls, we have
to choose the grey levels for both the 1s and 0s of each
bit-level j that is the values of a
j
and b
j
. We notice that, by
choosing different grey levels for the bit-levels, we will
obtain the quite different visual effects. However, nding a
formula to determine the proper values for a
j
and b
j
is
rather complicated for the general (k, n)-VCS, which
heavily depends on the contents of the secret image,
the observers experiences, the access structure and the
intensity function of the visual cryptography model of
Tuyls (i.e. the function I
r
(a) cos
2
(a
1
a
2
)) and so on.
However, some basic rules should be satised, for example
as follows. First, the distance between a
j
and b
j
should be
larger than the distance between a
j1
and b
j1
, that is
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 161
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org

ja
j
b
j
j . ja
j1
b
j1
j, which means that the information
about bit-level j should be more apparent than that of
bit-level j 1. Secondly, the average intensity of a white
pixel, which contains m(m
0
) sub-pixels, should be larger
than that of a black pixel that is, a white pixel should be
lighter than a black pixel.
The values of a
j
and b
j
in Example 3 satisfy the above
rules.
In Step 2, because the encryption uses the n m basis
matrices M
0
and M
1
, this scheme results in the pixel
expansion of m that is, the same as that of its
corresponding black and white VCS. For general colour
(k, n)-VCS, one can make use of the basis matrices of the
corresponding black and white VCS proposed in Section
4.1 and [24] and so on.
In Step 2
0
, because the encryption uses the n m
0
basis
matrix M
c
1
,...,c
n
c
, this later scheme results in a pixel
expansion of m
0
that is, the same as that of its
corresponding black and white EVCS. For general colour
(k, n)-EVCS, one can make use of the corresponding basis
matrices constructed in Section 2.3.
With regard to the security of Construction 2, we give the
following theorem about the security of the proposed colour
VCS and colour EVCS.
Theorem 5: Construction 2 generates n shares S
i
for
i 1, . . . , n, where less than k out of these n shares cannot
get any information about the secret image other than the
size of the secret image.
Proof: In Construction 2, the corresponding black and white
(k, n)-VCS and (k, n)-EVCS are applied to encrypt the secret
bits at each bit-level and each colour channel, respectively,
that is, for a particular bit-level j (1 j 8) and a colour
channel X (X R, G, B), the shares s
j
1,X
, s
j
2,X
, . . . , s
j
n,X
constitute a black and white (k, n)-VCS. Because of the
security conditions of Denitions 1 and 2, any less than k
out of n shares cannot obtain any information about the
secret image other than the size of the secret image on the
bit-level j and colour channel X, and they cannot obtain
any information about the secret image for other bit-levels
and colour channels either, since the construction of the
shares s
j
1,X
, s
j
2,X
, . . . , s
j
n,X
is irrelevant to the information
about the secret image on those bit-levels and colour
channels. By applying the above discussions for all the bit-
levels and colour channels, we have that any less than k out
of n shares cannot obtain any information about the secret
image other than the size of the secret image.
An example of Construction 2 is as follows.
Example 3: For the construction of colour (2, 3)-VCS by
Construction 2: let the basis matrices of the corresponding
black and white (2, 3)-VCS be M
0

100
100
100
2
4
3
5
and
M
1

100
010
001
2
4
3
5
, where the pixel expansion is 3. To simplify
the example, we let the secret image only have two bit-
levels for each colour channel. Take the encryption of a
pixel with a grey level 128 as example. The most and
second most signicant bits of the pixel are 1 and
0. Hence, we encrypt them by P(M
1
) and P(M
0
), where
we replace the 1s and 0s of P(M
1
) by a
1
and b
1
, and
replace the 1s and 0s of P(M
0
) by a
2
and b
2
, respectively.
By encrypting all the pixels in the secret image, we obtain
six shares for each participant i as S
1
i,C
, S
2
i,C
, S
1
i,M
, S
2
i,M
,
S
1
i,Y
and S
2
i,Y
. By stacking the six shares, we obtain the nal
share S
i
for participant i. Fig. 3 shows the experimental
results of the colour (2, 2)-VCS, where we set the grey
levels a
1
200, b
1
0, a
2
0 and b
2
50.
Similarly, for the construction of colour (2, 2)-EVCS by
Construction 2: let the basis matrices of the corresponding
black and white (2, 2)-EVCS be the rst example in
Example 2, where the pixel expansion is 3. Let the secret
image only have two bit-levels for each colour channel. For
the encrypting of a pixel where the grey levels of the secret
image, the rst and second original share images are 192,
128 and 64, the most signicant bits of the pixel in the
Figure 3 Experimental results of the colour (2, 3)-VCS under
the visual cryptography model of Tuyls
a Original secret image
b Resulting image by superimposing the shares Figs. 3c and 3d
c Encrypted shares
d Encrypted shares
Other shares and recovered secret image are omitted here in
order to shorten the paper
Size of the secret image is 256 170
162 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165
& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066
www.ietdl.org

three images are 1, 1, 0. Hence, we encrypt the most
signicant bit of this pixel by P(S
10
1
). Similarly, we encrypt
the second most signicant bits of this pixel by P(S
01
1
),
where we replace the 1s and 0s in P(S
10
1
) by the grey levels
a
1
and b
1
and replace the 1s and 0s in P(S
01
1
) by the grey
levels a
2
and b
2
, respectively. By encrypting all the pixels in
the secret image, we obtain six shares for each participant i
as S
1
i,C
, S
2
i,C
, S
1
i,M
, S
2
i,M
, S
1
i,Y
and S
2
i,Y
. By stacking the six
shares, we obtain the nal share S
i
for participant i. Fig. 4
shows the experimental results of the colour (2, 2)-EVCS,
where we set the grey levels a
1
200, b
1
0, a
2
0 and
b
2
50.
5 Comparisons
In this section, we compare our constructions of colour (k, n)-
VCS and colour (k, n)-EVCS with known results in the
literature. In Table 1, the comparisons are on the following
criteria:
C
1
the pixel expansion of colour (k, n)-VCS under
the visual cryptography model of Naor and
Shamir;
C
2
the pixel expansion of colour (k, n)-EVCS under
the visual cryptography model of Naor and
Shamir;
C
3
the pixel expansion of colour (k, n)-VCS under
the visual cryptography model of Tuyls;
C
4
the pixel expansion of colour (k, n)-EVCS under
the visual cryptography model of Tuyls;
C
5
whether or not the construction is based on the
halftone technique;
C
6
whether or not the increase in the number of
colours of the recovered secret image will
increase the pixel expansion;
C
7
whether or not the colour model of the
construction considers the colour darkening
phenomenon during stacking of pixels with the
same colour;
C
8
whether or not the recovering of the secret image
requires the assistance of computing devices.
Remark: For the criteria C
1
, C
2
, C
3
and C
4
, it is clear that a
smaller share is easier to carry and preserve, or requires less
memory. Hence, the pixel expansion is expected to be as
small as possible.
For the criterion C
5
, we need to point out that the halftone
technique usually expands the size of the secret image and
degrades the quality of the secret image. In fact, the
halftone technique without image expansion does exist,
however, in such a case, it is equivalent to pick out the
most signicant bits of each pixel in the secret image, and
abandon all the other information about the secret image,
which results in a serious degeneration in the visual effect
of the secret image.
For the criterion C
6
, it is worthy to point out that, if the
increase in the number of colours increases the pixel
Figure 4 Experimental results of the colour (2, 2)-EVCS under the visual cryptography model of Tuyls
a Original image
b Original image
c Original image and secret image
d Encrypted shares
e Encrypted shares
f Resulting image by superimposing the share Figs. 4d and 4e
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 163
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org

expansion, then the recovered secret image can only have a
small number of colours in the practical sense.
For the criterion C
7
, it is more practical if a colour model
considers the phenomenon of colour darkening when
stacking the pixels with the same colour.
For the criterion C
8
, the beauty of the VCS is its
simplicity; hence, it is better not to rely on the assistance of
computing devices when recovering the secret image.
In Table 1, c is the number of colours and m and m
0
are the
pixel expansions of the corresponding black and white (k, n)-
VCS and (k, n)-EVCS that are used as building blocks. The
N/A in the C
1
column indicates that the corresponding
constructions do not provide an explicit expression to
calculate the pixel expansion for their colour (k, n)-VCS.
The in the C
2
, C
3
and C
4
columns indicates that the
corresponding criteria do not apply.
According to the above comparisons, the advantages of
our constructions can be seen as follows. First, compared with
the constructions proposed in [4, 5, 8, 10, 11, 1518], the
pixel expansion of our constructions is small, our
constructions have the ability to represent all colours, and our
colour model considers the phenomenon of colour darkening
when stacking the pixels with the same colour, which makes
our constructions more practical. Secondly, compared with
the constructions proposed in [6, 7, 9, 13], our constructions
do not need the halftone process while maintaining a small
pixel expansion. Thirdly, compared with the construction
proposed in [9, 12], our constructions do not need the
assistance of computing devices.
Furthermore, compared with the constructions in [6, 9, 13],
our constructions can generate VCS and EVCS for general (k,
n) threshold access structure, and the constructions in [6, 9,
13] only generated VCS or EVCS for specic access
structures, for example the (2, 2) and (2, n) access structure.
6 Conclusion and future work
This paper proposed a colour (k, n)-VCS under the visual
cryptography model of Naor and Shamir with no pixel
expansion, a colour (k, n)-EVCS under the visual
cryptography model of Naor and Shamir with pixel
expansion the same as that of its corresponding black and
white (k, n)-EVCS, a black and white (k, n)-VCS and a
black and white (k, n)-EVCS under the visual cryptography
model of Tuyls. Based on the black and white schemes, we
proposed a colour (k, n)-VCS and a colour (k, n)-EVCS
under the same visual cryptography model, where the pixel
expansions are the same as that of their corresponding
black and white (k, n)-VCS and (k, n)-EVCS, respectively.
We also gave the experimental results of the proposed
schemes, and we compared the proposed scheme with
known schemes in the literature.
Unfortunately, the colour EVCS proposed above all have
the disturbing phenomenon, that is, part of the information
about the original share images may appear in the recovered
secret image. It is hard to eradicate such a phenomenon,
but it is possible to nd a method to weaken it. This
challenging problem is left as an open problem.
Another open problem is how to determine the grey levels
of the bit-levels a
i
and b
i
(i [ {1, . . . , 8}), which is quite
complicated and depends on the different colour model,
Table 1 Comparisons with the known results in the literature
Constructions C
1
C
2
C
3
C
4
C
5
C
6
C
7
C
8
ours 1 m m m no no yes no
Cimato et al. [4] N/A no yes no no
Cimato et al. [5] c
n
k
2
k2
no yes yes no
Hou and TU [7] 1 yes no yes no
Lukac and Plataniotis [12] m no no yes yes
Shyu et al. [15] dlog cem no yes no no
Verheul and Tilborg [16] q
k1
(q ! c) no yes no no
Yang and Laih [18] cm no yes no no
Koga and Yamamoto [11] N/A no yes no no
Koga et al. [10] N/A no yes no no
Ishihara and Koga [8] N/A no yes no no
Yang and Chen [17] 1 no no no no
164 IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165
& The Institution of Engineering and Technology 2008 doi: 10.1049/iet-ifs:20080066
www.ietdl.org

the content of the secret image, the access structure, the
observers experiences and so on.
7 Acknowledgments
Many thanks to the anonymous reviewers for their valuable
comments.
This work was supported by China national 973 project
No. 2004CB318004 and China national 863 project No.
2006AA01Z423.
8 References
[1] NAOR M., SHAMIR A.: Visual cryptography. EUROCRYPT
94, 1995, (LNCS, 950), pp. 112
[2] TUYLS P., KEVENAAR T., SCHRIJEN G.J., STARING T., DIJK M.V.:
Security displays enabling secure communications. 1st
Int. Conf. Pervasive Computing, Boppard, Germany, 2004,
(LNCS, 2802), pp. 271284
[3] Patent with International Application No.: PCT/
IB2003/000261, Secure visual message communication
method and device. 2003
[4] CIMATO S., PRISCO R.D., DE SANTIS A.: Optimal colored
threshold visual cryptography schemes, Des. Codes
Cryptogr., 2005, 35, pp. 311335
[5] CIMATO S., DE PRISCO R., DE SANTIS A.: Colored visual
cryptography without color darkening, Theor. Comput.
Sci., 2007, 374, pp. 261276
[6] HOU Y.C.: Visual cryptography for color images, Pattern
Recognit., 2003, 1773, pp. 111
[7] HOU Y.C., TU C.F.: Visual cryptography techniques for
color images without pixel expansion (in Chinese)), J. Inf.
Technol. Soc., 2004, 1, pp. 95110
[8] ISHIHARA T., KOGA H.: A visual secret sharing scheme for
color images based on meanvalue-color mixing, IEICE
Trans. Fundam., 2003, E86-A, pp. 194197
[9] JIN D., YAN W.Q., KANKANHALLI M.S.: Progressive color visual
cryptography, J. Electron. Imaging, 2005, 14, (3), pp. 033019
[10] KOGA H., IWAMOTO M., YAMAMOTO H.: An analytic
construction of the visual secret sharing scheme for color
images, IEICE Trans. Fundam., 2001, E84-A, (1), pp. 262272
[11] KOGA H., YAMAMOTO H.: Proposal of a lattice-based visual
secret sharing scheme for color and gray-scale images,
IEICE Trans. Fundam., 1998, E81-A, (6), pp. 12621269
[12] LUKAC R., PLATANIOTIS K.N.: Color image secret sharing, IEE
Electron. Lett., 2004, 40, (9), pp. 529530
[13] NAKAJIMA M., YAMAGUCHI Y.: Extended visual cryptography
for natural images. WSCG Conf. 2002, 2002, pp. 303412
[14] RIJMEN V., PRENEEL B.: Efcient color visual encryption or
shared colors of benetton. The rump session of Eurocrypt
96, Also available at http://www.esat.kuleuven.ac.be/
rijmen/vc/. 1996
[15] SHYU S.J.: Efcient visual secret sharing scheme for
color images, Pattern Recongnit., 2006, 39, pp. 866880
[16] VERHEUL E., TILBORG H.V.: Constructions and properties of
k out of n visual secret sharing schemes, Des. Codes
Cryptogr., 1997, 11, (2), pp. 179196
[17] YANG C.N., CHEN T.S.: Colored visual cryptography scheme
based on additive color mixing, Pattern Recognit., 2008,
41, (10), pp. 31143129
[18] YANG C.N., LAIH C.S.: New colored visual secret sharing
schemes, Des. Codes Cryptogr., 2000, 20, pp. 325335
[19] DROSTE S.: New results on visual cryptography. CRYPTO
96, 1996, (LNCS, 1109), pp. 401415
[20] ATENIESE G., BLUNDO C., DE SANTIS A., STINSON D.R.: Extended
capabilities for visual cryptography, ACM Theor. Comput.
Sci., 2001, 250, (12), pp. 143161
[21] ITO R., KUWAKADO H., TANAKA H.: Image size invariant visual
cryptography, IEICE Trans. Fundam. Electron. Commun.
Comput. Sci., 1999, E82-A, (10), pp. 21722177
[22] YANG C.N.: New visual secret sharing schemes using
probabilistic method, Pattern Recognit. Lett., 2004, 25,
pp. 481494
[23] BLUNDO C., DE SANTIS A., STINSON D.R.: On the contrast in
visual cryptography schemes, J. Cryptol., 1999, 12, (4),
pp. 261289
[24] TUYLS P., HOLLMANN H.D.L., VAN LINT J.H., TOLHUIZEN L.: Xor-
based visual cryptography schemes, Des. Codes Cryptogr.,
2005, 37, pp. 169186
IET Inf. Secur., 2008, Vol. 2, No. 4, pp. 151165 165
doi: 10.1049/iet-ifs:20080066 & The Institution of Engineering and Technology 2008
www.ietdl.org