1 Introduction

Visual cryptography scheme (VCS) is a novel type of secret sharing scheme that focuses on protecting images, which was first introduced by Naor and Shamir [13] in 1994. In a conventional (kn)-VCS, a secret image is encrypted into n noise-like shares. Subsequently, the generated shares are printed onto transparencies and distributed to n different participants secretly. The secret image can be reconstructed by superimposing any k or more shares directly, meanwhile, any less than k participants will not gain any valid information about the secret image. The unique feature about conventional VCS is that one can reconstruct the secret image just by human visual system without computing devices and knowledge of cryptography. Unfortunately, the conventional (kn)-VCS has two major problems: pixel expansion and poor contrast.

Since the pioneering work of Naor and Shamir, many schemes have been developed. In 1987, Ateniese et al. [1] introduced a general access structure for VCS, which is more general than the initial scheme proposed by Naor and Shamir. To reduce the pixel expansion, probabilistic VCS (PVCS) and RG-based VCS were developed sequentially. In [24], Yang first proposed PVCS to generate shares without pixel expansion, and the proposed method can be easily applied to conventional VCS. Kafri and Keren [10] introduced the basic model of RG-based VCS scheme, in their model, a binary secret image is encoded into n noise-like shares with the same size of the secret image. Since the proposed schemes mainly concern the encryption of one secret image, to fill in this gap, Wu and Chen [18] first considered the problem of sharing two secret images by using two shares. In their scheme, the first secret image can be recovered by stacking \(share\,1\) and \(share\,2\) directly, and the second secret image can be obtained by stacking \(share\,1\) and \(Rshare\,2\), where \(Rshare\,2\) is processed by rotating \(share\,2\). For the cheating problem in VCS, Yang and Laih [25] achieved the cheating immune VCS by trusted third party and extra pixels for the first time in 1999.

After Kafri and Keren [10] first introduced the basic model of RG-based VCS, the study of the RG-based VCS was silent for some time. In 2009, Shyu [16] first gave a formal definition of the RG-based VCS. Later, Chen and Tsao [2] presented a threshold RG-based VCS in order to be more widely applied. In the same year, the preceding two authors [3] focused on proposing a novel RG-based VCS by skillfully designing a procedure of distinguishing different light transmissions on generated shares. Subsequently, Wu and Sun [20] introduced a new RG-based VCS with abilities of both OR and XOR decryptions. To improve the contrast of RG-based VCS, Guo et al. [4], Wu and Sun [21], and Hu et al. [9] improved the visual quality of reconstructed image through modified encryption algorithm. Whereafter, Yan and Lu [23] proposed a RG-based (kn)-VCS with the function of participants increment in future, in their scheme, q new shares can be obtained from the original n shares without knowing the original generation algorithm and the original secret image. In 2019, Wu and Lai [19] gave a new scheme to further extend the generalized general access structure. Recently, Liu et al. [12] introduced a weighted VCS for general access structures based on random grids. In their scheme, since the total weight of the shares participating in the recovery process is different, the different participants can gain different information about the secret image.

Cheating immune is one of the burning issues of VCS. The malicious participant reconstructs a fake secret image by stacking the fake share with the genuine shares. Unfortunately, the victim can not detect the cheating and has to take the fake secret image as the genuine secret image. It is intolerable because the secret image is usually important to the victim. After Yang and Laih [25] first discussed the cheating problem of VCS, many studies focused on the cheating problems in VCS. In 2006, Prisco and Santis [14] developed a scheme with the ability of cheating immune by adding some columns to the basis matrices of (2, n)-VCS. In the same year, Horng et al. [5] showed that cheating can be possible in VCS and gave two solutions for the cheating immune. In the first solution, they generated n verifiable shares corresponding to the original share. Another method is based on the \((2,n+l)\)-VCS scheme instead of the (2, n)-VCS, where \(l\ge 1\). Tsai et al. [17] achieved the cheating immune scheme by adopting generic algorithms to encode homogeneous secret image. Ren et al. [15] proposed a novel method in 2017, they first utilized Latin square to prevent cheating in VCS. In 2020, Yadav and Ranvijay [22] introduced cheating immune scheme based on the hamming code. The novelty of the proposed scheme is to convert the fake (modified) shares into the original shares with 100% accuracy. The same year, Yang et al. [26] improved the block based progressive (2, n)-VCS. The proposed block based progressive (kn)-VCS is not only cheating immune but also suitable for general access structure. Finally, we classify the techniques in above schemes as follows: extra pixel expansion, extra verification shares, higher encryption/decryption overhead, and trusted third party’s participation.

Inspired by Wu et al.’s work [18] and Lin et al.’s work [11], which can reconstruct multiple secret images and reveal the authentication pattern by partially superimposing any pair of verifiable shares respectively. By mixing multiple secret VCS into RG-based CIVCS, we have innovated to propose a novel scheme that takes the advantage of approaches in [18] and [11]. That is, we endow RG-based VCS with the ability to prevent cheating by stacking any two verifiable shares from a variety of angles, including rotating one of the two shares by \(90^{\circ }\), \(180^{\circ }\), and \(270^{\circ }\) counterclockwise. If we stack any two shares at different degrees, then the authentication patterns of three adjacent and non-intersect concentric solid black rings will be revealed respectively. That is, every participant can identify whether the share supplied by other participant is genuine or counterfeit. The main contribution of this paper is to develop a new RG-based CIVCS, which can realize cheating prevention without extra verification shares. Since the proposed scheme based on random grid, our scheme has no pixel expansion. What’s more, the authentication and reconstruction can be implemented just by human visual system. Thus, the proposed RG-based CIVCS overcomes the insufficiency of existing approaches.

The rest of this paper is organised as follows. The concepts of conventional VCS and RG-based (kn)-VCS are introduced briefly in Section 2. Section 3 describes the details of the proposed CIVCS. We present the experimental results and discussions in Section 4. Finally, the conclusions are presented in Section 5.

2 Preliminaries

In this section, we briefly review the conventional (kn)-VCS, RG-based (kn)-VCS and the definition of cheating immune.

In this paper, digits 0 and 1 indicate transparent and opaque respectively, that is to say, digit 0 (resp. 1) denotes white (resp. black) pixel. Symbols \(\otimes\) and \(\oplus\) represent the Boolean OR and XOR operation respectively. In addition, the secret image is a binary image.

2.1 The conventional (kn)-VCS

Naor and Shamir [13] first realized VCS by the use of two Boolean basis matrices \(B_{0}\) and \(B_{1}\). The definition of conventional (kn)-VCS is given as follows.

Definition 2.1

(Naor and Shamir’s scheme [13]) A (kn) -VCS consists of two \(n\times m\) Boolean basis matrices \(B_{0}\) and \(B_{1}\). Collection \(C_{0}\) (resp. \(C_{1}\)) is spanned by column permutation of \(B_{0}\) (resp. \(B_{1}\)). The scheme is considered valid when the following conditions are satisfied:

  1. (1)

    If \(t \ge k\), for any \(\bar{B}_{0}\in C_{0}\), denote \(v_{0}\) as the ‘or’ vector of any t out of n rows of \(\bar{B}_{0}\), then the vector \(v_{0}\) satisfies \(H(v_{0})\le l\). Meanwhile, for any \(\bar{B}_{1}\in C_{1}\), denote \(v_{1}\) as the ‘or’ vector of any t out of n rows of \(\bar{B}_{1}\), then the vector \(v_{1}\) satisfies \(H(v_{1})\ge h\).

  2. (2)

    If \(t < k\), we have \(H(v_{0})= H(v_{1})\).

Where h and l are integers which satisfy \(0<l<h\le m\), H(v) denotes the Hamming weight of the vector v.

The parameter m is called pixel expansion and the contrast is defined as \(\alpha =\frac{h-l}{m}\) (\(0\le \alpha \le 1\)). Parameters m and \(\alpha\) are two key parameters of VCS. Pixel expansion indicates that each generated share is m times larger than the original secret image. Contrast reflects the visual quality of the recovered image. Condition (1) ensures that the secret image can be recovered by any k or more shares, and condition (2) guarantees that any less than k participants can not reconstruct the secret image. A valid VCS construction should meet the above two conditions.

Definition 2.2

(Visually recognizable condition [13]) The recovered secret image is said to be visually recognizable with respect to the secret image S, if the contrast of the recovered secret image is greater than zero.

Definition 2.3

(Security condition [13]) A VCS is said to be secure, if the contrast of the recovered secret image is equal to zero.

The experiment of (2, 3)-VCS are shown in Fig. 1, where \(B_{0}=\left[ \begin{array}{ccc}0 &{} 1 &{} 1\\ 0 &{} 1 &{} 1\\ 0 &{} 1 &{} 1\\ \end{array} \right] , B_{1}=\left[ \begin{array}{ccc}0 &{} 1 &{} 1\\ 1 &{} 0 &{} 1\\ 1 &{} 1 &{} 0\\ \end{array}\right]\). Figure 1(a) is binary secret image with the size of \(256\times 256\). Three shares are shown in Fig. 1(b)-(d). Figure 1(e)–(h) are the results of different combinations of any shares. The pixel expansion \(m=3\) and contrast of Fig. 1(e)-(h) are all \(\frac{1}{3}\).

Fig. 1
figure 1

Experimental results of (2, 3)-VCS. (e) \(S_{1}\otimes S_{2}\), (f) \(S_{1}\otimes S_{3}\), (g) \(S_{2}\otimes S_{3}\), (h) \(S_{1}\otimes S_{2}\otimes S_{3}\)

Full size image

2.2 Random grid based visual cryptography scheme

Different from the conventional (kn)-VCS, the RG-based (kn)-VCS encodes a secret image into n same-sized random shares \(R_{1}, R_{2},\ldots , R_{n}\). The concepts of RG-based VCS were first given by Shyu [16] in 2009.

Definition 2.4

(Average light transmission [16]) For a certain pixel S(ij) in a binary image S whose size is \(M\times N\), the light transmission of a white pixel is defined as \(T(S(i,j))=1\). Whereas, we define \(T(S(i,j))=0\) when S(ij) is a black pixel. The average light transmission of S is defined as

$$\begin{aligned} T(S)=\frac{1}{M\times N}\times \sum \limits _{i=1}^{M}\sum \limits _{j=1}^{N}T(S(i,j)). \end{aligned}$$

Definition 2.5

(Contrast [16]) For \(1\le t\le n\), the contrast is defined as:

$$\begin{aligned} \alpha =\frac{T(S_{\hat{1}\otimes \cdots \otimes \hat{t}}[S=0])-T({S_{\hat{1}\otimes \cdots \otimes \hat{t}}[S=1]})}{1+T({S_{\hat{1}\otimes \cdots \otimes \hat{t}}[S=1]})}, \end{aligned}$$

where \(T(S_{\hat{1}\otimes \cdots \otimes \hat{t}}[S=0])\) (resp. \(T(S_{\hat{1}\otimes \cdots \otimes \hat{t}}[S=1])\)) represents the light transmission of the corresponding area of all the white (resp. black) pixel in the recovered image, \(S_{\hat{1}\otimes \hat{2}\otimes \dots \otimes \hat{t}}=S_{\hat{1}}\otimes S_{\hat{2}}\otimes \dots \otimes S_{\hat{t}}\) and \(\{S_{\hat{1}},S_{\hat{2}},\ldots ,S_{\hat{t}}\}\subseteq \{S_{1},S_{2},\ldots ,S_{n}\}\).

Definitions 2.4 and 2.5 are known as average light transmission and contrast respectively. Contrast means the visual quality of recovered secret image. It is considered to be as large as possible. Chen and Tsao [2] proposed RG-based (kn)-VCS, which is presented as Algorithm 1.

figure a

We here give a simulation result which was introduced by Algorithm 1. The experiment of (2, 3)-RGVCS are exhibited in Fig. 2. Figure 2(a) is binary secret image with the size of \(512\times 512\). Three shares are shown in Fig. 2(b)-(d). Figure 2(e)–(h) are the results of different combinations of any shares. The pixel expansion \(m=1\) and the contrast of the Fig. 2(e)–(h) are 0.2859, 0.2868, 0.2866, 0.5010 respectively.

Fig. 2
figure 2

Experimental results of RG-based (2, 3)-VCS. (e) \(S_{1}\otimes S_{2}\), (f) \(S_{1}\otimes S_{3}\), (g) \(S_{2}\otimes S_{3}\), (h) \(S_{1}\otimes S_{2}\otimes S_{3}\)

Full size image

2.3 Cheating in VCS

In the reconstruction phase, if a participant present a fake share and the fake share is used to recover the secret image, then we refer to the participant as malicious participants. A participant is called a victim, if the participant can not detect whether the recovered secret image is the original secret image or not and has to believe that the recovered image is the original secret image. The definition of cheating immune is given as follows.

Definition 2.6

(Cheating Immune [14]) A VCS is called cheating immune if and only if the probability of the successful cheating in any pixel is less than one.

3 The proposed scheme

In this section, we improve the RG-based (kn)-VCS which is proposed by Chen and Tsao [2]. The ameliorated algorithm is presented as Algorithm 2, and the sharing procedure for a secret pixel S(i,j) is shown in Fig. 3. In order to deal with the cheating problem of VCS, we present a novel RG-based CIVCS and give the theoretical proofs in this section. The algorithmic steps of our proposed CIVCS is presented in Algorithm 3.

figure b
Fig. 3
figure 3

The flow chart of Algorithm 2

Full size image

In [18], Wu and Chen introduced a (2, 2)-VCS for two secret images. One can reconstruct the first secret image by stacking two shares directly. Meanwhile, the second secret image is recovered by stacking two shares while one of two shares is rotated. Lin et al. [11] revealed the authentication pattern by partially superimposing any pair of verifiable shares. Drawing support from the above two paper’s approach, we stamp three adjacent and non-intersect concentric solid black rings respectively on any two shares while one share is rotated at different degrees. Since the shares are rectangular, the rotating angles are limited to \(90^{\circ }\), \(180^{\circ }\), and \(270^{\circ }\). The steps of the proposed CIVCS for stamping the n original shares \(R_{1},R_{2},\ldots ,R_{n}\) into n verifiable shares \(S_{1},S_{2},\ldots ,S_{n}\) is described in Algorithm 3. The three adjacent and non-intersect concentric solid black rings will be revealed respectively when stacking any two verifiable shares while one share is rotated \(90^{\circ }\), \(180^{\circ }\), and \(270^{\circ }\).

In order to guarantee the visual effects of authentication patterns, the width of authentication ring should be no less than five pixels. We denote symbol W (\(W\ge 5\)) as the pixel width of the adjacent and non-intersect concentric solid black ring. The secret image should be adjusted to the number of participants due to the size of authentication patterns, whereas the size of secret image (no less than \([3W\cdot (n^{2}-n)+2W]\times [3W\cdot (n^{2}-n)+2W]\)) is enlarged with increased n in (kn)-CIVCS.

3.1 Share generation

3.1.1 Image preprocessing

Firstly, we choose the center pixel of the secret image S. The size of the secret image S is \(M\times N\). If both M and N are odd numbers, then we select \(S(\lceil \frac{M}{2}\rceil , \lceil \frac{N}{2}\rceil )\) as the center pixel of the secret image. Otherwise, we generate one random row vector or column vector and insert the generated row or column into secret image as the \(\lceil \frac{M+1}{2}\rceil\)-th row or \(\lceil \frac{N+1}{2}\rceil\)-th column. Both row vector and column vector are generated randomly, in which white pixel and black pixel emerge with the probability of \(\frac{1}{2}\). After the above steps, we ultimately obtain a processed secret image with odd rows and columns. It should be noted that the added row or column will be removed before output the verifiable share in Algorithm 3.

Fig. 4
figure 4

Preprocessing procedure

Full size image

For example, suppose the size of secret image is \(4\times 4\), we generate a random 4-dimensional row and insert the generated row between the second row and third row. Similarly, we generate a random 5-dimensional column and insert the generated column in the middle of the second column and third column. Finally, we obtain the processed secret image with five rows and five columns. The preprocessing procedure of a secret image with size of \(4\times 4\) is illustrated in Fig. 4.

3.1.2 Share generation

We stamp three adjacent and non-intersect concentric solid black rings on any two shares by using Algorithm 3. The detailed steps of Algorithm 3 are described as follows.

figure c

The key steps of Algorithm 3 is Steps 4. The Steps 4 ensure the stacked results of any two rotated shares reveal solid black rings. \(R_{\{p,q\}}(i,j)\) means the i-th row and j-th column pixel of share \(R_{p}\) and \(R_{q}\). The modification rules are described as follows.

Modification rule 1: For \(1\le i\le \overline{M}\), \(1\le j\le \overline{N}\)

  1. (a)

    If the pixel of \(R_{p}(i,j)\) is white pixel, then modify it into black with the probability of \(\frac{1}{2}-\frac{k}{4n}\).

  2. (b)

    If the pixel of \(R_{q}(i,j)\) is white pixel, then modify it into black with the probability of \(\frac{1}{2}-\frac{k}{4n}\).

Modification rule 2: For \(1\le i\le \overline{M}\), \(1\le j\le \overline{N}\)

If both \(R_{p}(i,j)\) and \(R_{q}(i,j)\) are white pixel, then randomly select one pixel from \(R_{\{p,q\}}(i,j)\), and modify it into black.

3.1.3 Authentication and reconstruction

We consider the corresponding shares are genuine shares when the following conditions are simultaneously satisfied: (1) Every verifiable share is noise-like share, in which the distribution of white and black pixel should be even, (2) Three adjacent and non-intersect concentric solid black rings are revealed respectively by stacking any two verifiable shares in several ways, including rotating one of the two shares by \(90^{\circ }\), \(180^{\circ }\), and \(270^{\circ }\) counterclockwise, (3) Each concentric ring is solid black ring. If one of above conditions is not met, the verifier refuses to provide the share and stop the recovery procedure.

If any t (\(t\ge k\)) shares are regarded as genuine shares after the authentication phase, then we can recover the secret image by stacking corresponding shares. The authentication procedure is illustrated in Fig. 5.

Fig. 5
figure 5

The authentication procedure

Full size image

3.2 Properties analysis

In this subsection, we analysis the proposed RG-based (kn)-VCS and prove Algorithm 3 is a valid construction for cheating immune. Firstly, we prove Algorithm 2 is a valid construction.

Lemma 3.1

Given a secret pixel S(ij) in Algorithm 2, the pixels \(r_{1},\ldots , r_{n}\) satisfy

$$\begin{aligned} Prob(r_{i}=0)=1-\frac{k}{2n},\,Prob(r_{i}=1)=\frac{k}{2n},\, where \,\,1\le i\le n. \end{aligned}$$

Proof

In Algorithm 2, the first \(k-1\) pixels are generated randomly, we obtain

$$\begin{aligned} Prob(\bar{r}_{i}=0)=Prob(\bar{r}_{i}=1)=\frac{1}{2}, \,\,where \,\,1\le i\le k-1. \end{aligned}$$

Since \(\bar{r}_{k}=S(i,j)\oplus \bar{r}_{k-1}\oplus \bar{r}_{k-2}\oplus \dots \oplus \bar{r}_{1}\), we have

$$\begin{aligned} Prob(\bar{r}_{k}=0)=Prob(\bar{r}_{k}=1)=\frac{1}{2}. \end{aligned}$$

By Algorithm 2, the rest of \(n-k\) pixels: \(\bar{r}_{k+1}=\bar{r}_{k+2}=\dots =\bar{r}_{n}=0\), we lead to

$$\begin{aligned} Prob(r_{i}=0)=\frac{k}{n}\times \frac{1}{2}+\frac{n-k}{n}\times 1=1-\frac{k}{2n}, \end{aligned}$$

and

$$\begin{aligned} Prob(r_{i}=1)=\frac{k}{n}\times \frac{1}{2}+\frac{n-k}{n}\times 0=\frac{k}{2n}, \,where\,\, 1\le i\le n. \end{aligned}$$

Lemma 3.2

(Hu et al. [9]) Given a secret pixel S(ij) in Algorithm 2, any t \((t< k)\) pixels of \(\bar{r}_{1},\bar{r}_{2},\ldots ,\bar{r}_{k}\) satisfy

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])=T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])=\frac{1}{2^{t}}, \end{aligned}$$

where \(T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])\) (resp. \(T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])\)) means the probability of light transmission after stacking t pixels when the corresponding area of the secret image is white (resp. black), \(\hat{r}_{1\otimes 2\otimes \dots \otimes t}=\hat{r}_{1}\otimes \hat{r}_{2}\otimes \dots \otimes \hat{r}_{t}\), and \(\{\hat{r}_{1},\hat{r}_{2},\dots ,\hat{r}_{t}\}\subseteq \{\bar{r}_{1},\bar{r}_{2},\dots ,\bar{r}_{k}\}\).

Proof

To prove this lemma, we consider the following two cases:

Case 1: \(\bar{r}_{k}\in \{\hat{r}_{1},\hat{r}_{2},\dots ,\hat{r}_{t}\}\)

Without loss of generality, we suppose that the t pixels are \(\bar{r}_{1},\bar{r}_{2},\dots ,\bar{r}_{t-1},\bar{r}_{k}\). According to Algorithm 2, the \(t-1\) pixels \(\bar{r}_{1},\bar{r}_{2},\dots ,\bar{r}_{t-1}\) are generated randomly, we have

$$\begin{aligned} T(\bar{r}_{1\otimes 2\otimes \dots \otimes t-1}[S(i,j)=0])=T(\bar{r}_{1\otimes 2\otimes \dots \otimes t-1}[S(i,j)=1])=\frac{1}{2^{t-1}}. \end{aligned}$$

Since \(\bar{r}_{k}=S(i,j)\oplus \bar{r}_{k-1}\oplus \bar{r}_{k-2}\oplus \dots \oplus \bar{r}_{1}\), we obtain

$$\begin{aligned}&Prob(\bar{r}_{k}=0|\bar{r}_{1}=0,\bar{r}_{2}=0,\ldots ,\bar{r}_{t-1}=0,S(i,j)=0)\\= & {} Prob(\bar{r}_{t}\oplus \bar{r}_{t+1}\oplus \dots \oplus \bar{r}_{k-1}=0)=\frac{1}{2}, \end{aligned}$$

and

$$\begin{aligned}&Prob(\bar{r}_{k}=0|\bar{r}_{1}=0,\bar{r}_{2}=0,\ldots ,\bar{r}_{t-1}=0,S(i,j)=1)\\= & {} Prob(\bar{r}_{t}\oplus \bar{r}_{t+1}\oplus \dots \oplus \bar{r}_{k-1}=1)=\frac{1}{2}. \end{aligned}$$

Therefore, we have

$$\begin{aligned}&T(\bar{r}_{1\otimes 2\otimes \dots \otimes t-1\otimes k}[S(i,j)=0]) \\= & {} Prob(\bar{r}_{k}=0|\bar{r}_{1}\otimes \bar{r}_{2}\otimes \dots \otimes \bar{r}_{t-1}=0,S(i,j)=0)\cdot Prob(\bar{r}_{1}\otimes \bar{r}_{2}\dots \otimes \bar{r}_{t-1}=0|S(i,j)=0)\\= & {} \frac{1}{2}\cdot \frac{1}{2^{t-1}}=\frac{1}{2^{t}}. \end{aligned}$$

and

$$\begin{aligned}&T(\bar{r}_{1\otimes 2\otimes \dots \otimes t-1\otimes k}[S(i,j)=1]) \\= & {} Prob(\bar{r}_{k}=0|\bar{r}_{1}\otimes \bar{r}_{2}\otimes \dots \otimes \bar{r}_{t-1}=0,S(i,j)=1)\cdot Prob(\bar{r}_{1}\otimes \bar{r}_{2}\dots \otimes \bar{r}_{t-1}=0|S(i,j)=1)\\= & {} \frac{1}{2}\cdot \frac{1}{2^{t-1}}=\frac{1}{2^{t}}. \end{aligned}$$

Case 2: \(\bar{r}_{k}\notin \{\hat{r}_{1},\hat{r}_{2},\dots ,\hat{r}_{t}\}\)

Since the t pixels are generated randomly, we lead to

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])=T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])=\frac{1}{2^{t}}. \end{aligned}$$

In conclusion, we prove this Lemma.

Lemma 3.3

Given a secret pixel S(ij) in Algorithm 2, any t \((t< k)\) pixels of \(r_{1},r_{2},\ldots ,r_{n}\) satisfy

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])=T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1]), \end{aligned}$$

where \(T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])\) (resp. \(T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])\)) means the probability of light transmission after stacking t pixels when the corresponding area of the secret image is white (resp. black), \(\hat{r}_{1\otimes 2\otimes \dots \otimes t}=\hat{r}_{1}\otimes \hat{r}_{2}\otimes \dots \otimes \hat{r}_{t}\), and \(\{\hat{r}_{1},\hat{r}_{2},\dots ,\hat{r}_{t}\}\subseteq \{r_{1},r_{2},\dots ,r_{n}\}\).

Proof

By Lemma 3.2, we prove this Lemma immediately.

Lemma 3.4

Given a secret pixel S(ij) in Algorithm 2, any t \((t\ge k)\) pixels of \(r_{1},r_{2},\ldots ,r_{n}\) satisfy

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])>T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1]). \end{aligned}$$

where \(\hat{r}_{1\otimes 2\otimes \dots \otimes t}=\hat{r}_{1}\otimes \hat{r}_{2}\otimes \dots \otimes \hat{r}_{t}\) and \(\{\hat{r}_{1},\hat{r}_{2},\dots ,\hat{r}_{t}\}\subseteq \{r_{1},r_{2},\dots ,r_{n}\}\).

Proof

To prove this lemma, we consider the following two cases:

  1. (1)

    If \(\{\bar{r}_{1}, \bar{r}_{2},\ldots , \bar{r}_{k}\}\nsubseteq \{\hat{r}_{1}, \hat{r}_{2},\ldots , \hat{r}_{t}\}.\) By Lemma 3.3, we led to

    $$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])=T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1]). \end{aligned}$$
  2. (2)

    If \(\{\bar{r}_{1}, \bar{r}_{2},\ldots , \bar{r}_{k}\}\subset \{\hat{r}_{1}, \hat{r}_{2},\ldots , \hat{r}_{t}\}\), we have

    $$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])=\frac{1}{2^{k-1}},\,\,T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])=0. \end{aligned}$$

To conclude the above results, we have

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])>T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1]). \end{aligned}$$

Theorem 3.1

Given a secret image S, Algorithm 2 is a valid construction for RG-based (kn)-VCS, which meets the following conditions:

  1. (1)

    If \(t<k\), then \(T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])=T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])\).

  2. (2)

    If \(t\ge k\), then \(T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])>T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])\).

  3. (3)

    The average theoretical contrast

$$\begin{aligned} \alpha =\frac{\frac{\left( \begin{array}{ll}{n-k}\\ {t-k}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{k-1}}}{1+\sum \limits _{max\{0,t+k-n\}\le g<k}\frac{\left( \begin{array}{ll}{k}\\ {g}\end{array}\right) \left( \begin{array}{ll}{n-k}\\ {t-g}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{g}}}, \end{aligned}$$

where \(\hat{r}_{1\otimes 2\otimes \dots \otimes t}=\hat{r}_{1}\otimes \hat{r}_{2}\otimes \dots \otimes \hat{r}_{t}\) and \(\{\hat{r}_{1},\hat{r}_{2},\dots ,\hat{r}_{t}\}\subseteq \{r_{1},r_{2},\dots ,r_{n}\}\). The letter g denotes the number of pixels for selecting g pixels from \(\{\bar{r}_{1},\bar{r}_{2},\ldots ,\bar{r}_{k}\}\), and t is the number of shares.

Proof

By Lemmas 3.3 and 3.4, we get the condition (1) and (2) immediately.

Next, we prove the condition (3). By Lemmas 3.2 and 3.3, we have

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])&=\sum \limits _{max\{0,t+k-n\}\le g<k}\frac{\left( \begin{array}{ll}{k}\\ {g}\end{array}\right) \left( \begin{array}{ll}{n-k}\\ {t-g}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{g}}+\frac{\left( \begin{array}{ll}{k}\\ {k}\end{array}\right) \left( \begin{array}{ll}{n-k}\\ {t-k}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{k-1}}\\&=\sum \limits _{max\{0,t+k-n\}\le g<k}\frac{\left( \begin{array}{ll}{k}\\ {g}\end{array}\right) \left( \begin{array}{ll}{n-k}\\ {t-g}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{g}}+\frac{\left( \begin{array}{ll}{n-k}\\ {t-k}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{k-1}}, \end{aligned}$$

and

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1])=\sum \limits _{max\{0,t+k-n\}\le g<k}\frac{\left( \begin{array}{ll}{k}\\ {g}\end{array}\right) \left( \begin{array}{ll}{n-k}\\ {t-g}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{g}}. \end{aligned}$$

By Definition 2.5, the average theoretical contrast of the proposed algorithm is

$$\begin{aligned} \alpha= & {} \frac{T(\hat{r}_{1\otimes \cdots \otimes t}[S(i,j)=0])-T({\hat{r}_{1\otimes \cdots \otimes t}[S(i,j)=1]})}{1+T({\hat{r}_{1\otimes \cdots \otimes t}[S(i,j)=1]})}\\= & {} \frac{\frac{\left( \begin{array}{ll}{n-k}\\ {t-k}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{k-1}}}{1+\sum \limits _{max\{0,t+k-n\}\le g<k}\frac{\left( \begin{array}{ll}{k}\\ {g}\end{array}\right) \left( \begin{array}{ll}{n-k}\\ {t-g}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{g}}}. \end{aligned}$$

Thus, for the secret image S, we can obtain

$$\begin{aligned} \alpha =\frac{\frac{\left( \begin{array}{ll}{n-k}\\ {t-k}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{k-1}}}{1+\sum \limits _{max\{0,t+k-n\}\le g<k}\frac{\left( \begin{array}{ll}{k}\\ {g}\end{array}\right) \left( \begin{array}{ll}{n-k}\\ {t-g}\end{array}\right) }{\left( \begin{array}{ll}{n}\\ {t}\end{array}\right) }\cdot \frac{1}{2^{g}}}. \end{aligned}$$

Next, we will prove Algorithm 3 is a valid construction. The proof is as follows.

Lemma 3.5

In Algorithm 3, each white pixel in original shares \(R_{1},\ldots , R_{n}\) is modified into black pixel with the probability of \(\frac{1}{2}-\frac{k}{4n}\).

Proof

According to the Modification rule 1, Obviously, the conclusion is true. For the Modification rule 2, If the pixel \(R_{p}(i,j)\) is white, then the corresponding position on \(R_{q}\) is white pixel with the probability of \(1-\frac{k}{2n}\). We randomly select one pixel from \(R_{\{p,q\}}(i,j)\) and modify it into black pixel. Thus each white pixel in original shares is modified into black pixel with the probability of \(\frac{1}{2}-\frac{k}{4n}\).

Lemma 3.6

After Algorithm 3, when randomly select a pixel from verifiable shares \(S_{1},\ldots ,S_{n}\), the selected pixel is white with the probability of \(\frac{1}{2}-\frac{k^{2}}{8n^{2}}\).

Proof

By Lemma 3.1, we obtain

$$\begin{aligned} Prob(r_{i}=0)=1-\frac{k}{2n},\,Prob(r_{i}=1)=\frac{k}{2n}, \end{aligned}$$

Thus, we have

$$\begin{aligned} Prob(S_{z}(i,j)=0)= & {} \left( 1-\frac{k}{2n}\right) \cdot \left( 1-\left( \frac{1}{2}-\frac{k}{4n}\right) \right) \\= & {} \frac{1}{2}-\frac{k^{2}}{8n^{2}}, \end{aligned}$$

where \(S_{z}(i,j)\) denotes the i-th row and j-th column pixel of verifiable share \(S_{z}\), \(1\le i\le N\), \(1\le j\le M\), and \(1\le z\le n\).

Similarly,

$$\begin{aligned} Prob(S_{z}(i,j)=1)=\frac{k}{2n}+\left( 1-\frac{k}{2n}\right) \cdot \left( \frac{1}{2}-\frac{k}{4n}\right) = \frac{1}{2}+\frac{k^{2}}{8n^{2}}. \end{aligned}$$

Theorem 3.2

The proposed (kn)-CIVCS in Algorithm 3 is a valid construction.

Proof

(1) For security condition:

By Lemma 3.5, the white pixel in original share is modified into black pixel with the probability of \(\frac{1}{2}-\frac{k}{4n}\). We can prove that the construction of cheating immune scheme satisfies the security condition through Lemma 3.3. That is to say, no information about secret image can be obtained by stacking any less than k shares from \(S_{1},S_{2},\ldots ,S_{n}\).

(2) For contrast condition:

By Lemmas 3.4 and 3.5, given any t (\(t\ge k\)) verifiable shares, we have

$$\begin{aligned} T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=0])>T(\hat{r}_{1\otimes 2\otimes \dots \otimes t}[S(i,j)=1]), \end{aligned}$$

where \(\hat{r}_{1\otimes 2\otimes \dots \otimes t}=\hat{r}_{1}\otimes \hat{r}_{2}\otimes \dots \otimes \hat{r}_{t}\) and \(\{\hat{r}_{1},\hat{r}_{2},\dots ,\hat{r}_{t}\}\subseteq \{r_{1},r_{2},\dots ,r_{n}\}\).

(3) According to Modification rule 2 in Algorithm 3, we stamp adjacent and non-intersect concentric rings on any two shares. Three adjacent and non-intersect concentric solid black rings can be revealed respectively by stacking any two verifiable shares in several ways, including rotating one of the two shares by 90\(^{\circ }\), 180\(^{\circ }\), and 270\(^{\circ }\) counterclockwise.

3.3 Cheating immune

In our scheme, a successful cheating depends on the correct speculation about the positions of the authentication regions. By Lemma 3.6, the selected pixel from verifiable shares \(S_{1},\ldots ,S_{n}\) is white with the probability of \(\frac{1}{2}-\frac{k^{2}}{8n^{2}}\). Thus, the color of the verifiable shares is uniform. If a higher priority software tamper with the region of pixels in the verifiable shares, the color of the verifiable shares will be uneven and the verifier will refuse to provide their share and stop the recovery procedure. The analysis about cheating immune is described as follows.

Lemma 3.7

The verifiable shares \(S_{1}, S_{2},\ldots ,S_{n}\) are indistinguishable and the authentication rings can be revealed by stacking any two verifiable shares in several methods, including rotating one of the two shares at \(90^{\circ }\), \(180^{\circ }\), \(270^{\circ }\).

Proof

By Theorem 3.2, the verifiable shares \(S_{1}, S_{2},\ldots ,S_{n}\) are indistinguishable. According to the authentication rings stamping process which is presented in Modification rule 2, the authentication rings are revealed by stacking any two verifiable shares in different angles.

Lemma 3.8

After Algorithm 3, the probability of correctly guess the three adjacent and non-intersect concentric solid black rings is much less than

$$\begin{aligned} \left( \frac{3}{4}+\frac{k^{2}}{8n^{2}}-\frac{k^{4}}{64n^{4}}\right) ^{X}, \end{aligned}$$

where k denotes the threshold value, n is the number of participants, and X indicates the number of pixels on the three adjacent and non-intersect concentric solid black rings.

Proof

By Lemma 3.6, If we randomly select a pixel from verifiable shares \(S_{1},\ldots ,S_{n}\), then the selected pixel is white pixel with the probability of \(\frac{1}{2}-\frac{k^{2}}{8n^{2}}\). Therefore, the probability of a black pixel will be revealed on the corresponding superimposed share is \(1-\left( \frac{1}{2}-\frac{k^{2}}{8n^{2}}\right) ^{2}=\frac{3}{4}+\frac{k^{2}}{8n^{2}}-\frac{k^{4}}{64n^{4}}\). All of the X pixels are revealed as black on the corresponding superimposed share with the probability of \(\left( \frac{3}{4}+\frac{k^{2}}{8n^{2}}-\frac{k^{4}}{64n^{4}}\right) ^{X}\). Furthermore, the three adjacent and non-intersect concentric solid black rings are need to be revealed respectively by stacking any two verifiable shares at different angles. Hence, the probability of correctly reveal the authentication patterns is much less than \(\left( \frac{3}{4}+\frac{k^{2}}{8n^{2}}-\frac{k^{4}}{64n^{4}}\right) ^{X}\).

The value of X is relate to p, q, n, and W, where p (resp. q) denotes the p-th (resp. q-th) share, and W is the number of pixel width of the adjacent and non-intersect concentric solid black ring. Unfortunately, there is no unified formula can accurately calculate the number of X. The part of X is shown in Tables 1, 2, and 3.

Table 1 When n=3 and W=10 pixels, the number of pixels on authentication pattern
Full size table
Table 2 When n=4 and W=10 pixels, the number of pixels on authentication pattern
Full size table
Table 3 When n=5 and W=10 pixels, the number of pixels on authentication pattern
Full size table

From what has been discussed above, we may safely draw the conclusion that (1) Since the proposed scheme is based on random grids, our scheme has no pixel expansion. (2) We realize cheating immune by stacking any two verifiable shares in several ways, including rotating one of the two shares by \(90^{\circ }\), \(180^{\circ }\), and \(270^{\circ }\) counterclockwise, thereby removing the requirement for extra verifiable shares. (3) The secret image can be reconstructed by superimposing sufficient shares directly. (4) The authentication of shares and reconstruction of the secret image can be performed off-line and a trusted third party isn’t involved in the scheme.

4 Simulation results

In this section, to demonstrate the effectiveness and feasibility of the proposed method, examples and comparisons are presented. We use the Matlab simulation tools to simulate the proposed scheme. In practical application, we generate verifiable shares by Matlab and achieve the authentication and reconstruction process by observing the superimposition results of verifiable shares directly with the help of the naked eye.

Fig. 6
figure 6

Experimental results of the RG-based (2, 3)-VCS. (e) \(S_{1}\otimes S_{2}\), (f) \(S_{1}\otimes S_{3}\), (g) \(S_{2}\otimes S_{3}\), (h) \(S_{1}\otimes S_{2}\otimes S_{3}\)

Full size image

Figure 6 shows the experimental results of the RG-based (2, 3)-VCS. Figure 6(a) is the \(512\times 512\) binary secret image, and Fig. 6(b)–(d) are three shares which are generated by Algorithm 2. The results of different combinations of any shares are shown in Fig. 6(e)–(h). The pixel expansion \(m=1\) and the contrast of the Fig. 6(e)–(h) are 0.1258, 0.1257, 0.1248, 0.5006 respectively.

To obtain excellent authentication results, we set the pixel width of authentication ring W equal to 10 pixels. The experimental results of RG-based (2, 3)-CIVCS is illustrated in Fig. 7. Figure 7(a) is a \(512\times 512\) binary secret image, three original shares \(R_{1},R_{2},R_{3}\) generated by Algorithm 3 are shown in Fig. 7(b)–(d). Three verifiable shares \(S_{1},S_{2},S_{3}\) obtained by stamping the adjacent and non-intersect concentric solid black rings on the original shares are exhibited in Fig. 7(e)–(g). We denote \(S_{\hat{i}}^{\hat{j}}\) as the rotation of verifiable share \(S_{\hat{i}}\) by \(\hat{j}\) degrees counterclockwise, where \(1\le \hat{i}\le 3\) and \(\hat{j}\in \{90, 180, 270\}\). The results of stacking any two verifiable shares are shown in Fig. 7(h)–(p). In this experimental results, we can detect the adjacent and non-intersect concentric solid black rings through stacking \(S_{p}\) and rotated \(S_{q}\) at different degrees. No information about the secret image can be recovered by analysing one of original shares or verifiable shares, and we reconstruct the secret image by stacking any two or more verifiable shares.

Fig. 7
figure 7

Experimental results of RG-based (2, 3)-CIVCS. (h) \(S_{1}\otimes S_{2}^{90^{\circ }}\), (i) \(S_{1}\otimes S_{2}^{180^{\circ }}\), (j) \(S_{1}\otimes S_{2}^{270^{\circ }}\), (k) \(S_{1}\otimes S_{3}^{90^{\circ }}\), (l) \(S_{1}\otimes S_{3}^{180^{\circ }}\), (m) \(S_{1}\otimes S_{3}^{270^{\circ }}\), (n) \(S_{2}\otimes S_{3}^{90^{\circ }}\), (o) \(S_{2}\otimes S_{3}^{180^{\circ }}\), (p) \(S_{2}\otimes S_{3}^{270^{\circ }}\), (q) \(S_{1}\otimes S_{2}\), (r) \(S_{1}\otimes S_{3}\), (s) \(S_{2}\otimes S_{3}\), (t) \(S_{1}\otimes S_{2}\otimes S_{3}\)

Full size image
Fig. 8
figure 8

Experimental results of RG-based (2, 4)-CIVCS. (d) \(S_{1}\otimes S_{2}^{\{90^{\circ },180^{\circ },270^{\circ }\}}\), (e) \(S_{1}\otimes S_{3}^{\{90^{\circ },180^{\circ },270^{\circ }\}}\), (f) \(S_{1}\otimes S_{4}^{\{90^{\circ },180^{\circ },270^{\circ }\}}\), (g) \(S_{2}\otimes S_{3}^{\{90^{\circ },180^{\circ },270^{\circ }\}}\), (h) \(S_{2}\otimes S_{4}^{\{90^{\circ },180^{\circ },270^{\circ }\}}\), (i) \(S_{3}\otimes S_{4}^{\{90^{\circ },180^{\circ },270^{\circ }\}}\), (j) \(S_{p}\otimes S_{q}\), where \(1\le p<q\le 4\). (k) \(S_{1}\otimes S_{2}\otimes S_{3}\), \(S_{1}\otimes S_{2}\otimes S_{4}\), \(S_{1}\otimes S_{3}\otimes S_{4}\), \(S_{2}\otimes S_{3}\otimes S_{4}\), (l) \(S_{1}\otimes S_{2}\otimes S_{3}\otimes S_{4}\)

Full size image

Similarly, The simulation results of RG-based (2, 4)-CIVCS is shown in Fig. 8.

The simulation results in Fig. 7(b)–(g) indicates that the share is inevitably darken after Algorithm 3. By contrasting Fig. 6(e)–(h) with Fig. 7(q)–(t), the contrast of recovered secret image becomes poor.

To test the effectiveness of cheating immune in the proposed scheme, two experiments are demonstrated in Fig. 9. Figure 9(a) is the verifiable share in Figs. 7(f), 9(b) is the verifiable share in Figs. 7(g), and 9(c) is the verifiable share in Fig. 8(c-3). Figure 9(d) is a faked share obtained by modifying the black pixel on Fig. 9(b) into white pixel with the probability of \(\frac{1}{4}\). To facilitate the understanding, we renamed shares in this experimental results. The Fig. 9(a), (c) and (d) are renamed as \(S_{1}\), \(S_{2}\) and \(S_{3}\) respectively. We notice that the solid authentication rings are invisible and incomplete on the stacked results Fig.9(e)–(g) and (h)–(j) respectively. The experimental results show that the revealed authentication adjacent and non-intersect concentric solid black rings are invalid, which implies that the \(S_{2}\) and \(S_{3}\) are fake shares.

Fig. 9
figure 9

Experimental for detecting a fake share. (e) \(S_{1}\otimes S_{2}^{90^{\circ }}\), (f) \(S_{1}\otimes S_{2}^{180^{\circ }}\), (g) \(S_{1}\otimes S_{2}^{270^{\circ }}\), (h) \(S_{1}\otimes S_{3}^{90^{\circ }}\), (i) \(S_{1}\otimes S_{3}^{180^{\circ }}\), (j) \(S_{1}\otimes S_{3}^{270^{\circ }}\)

Full size image

In Table 4, we give the overall comparisons of related CIVCS and the proposed scheme. The symbol “−” denotes “not available” which means the scheme is not CIVCS. Unfortunately, we have not yet found a unified formula can accurately calculate the theoretical contrast of the proposed RG-based (kn)-CIVCS. Despite the contrast is reduced in the proposed method by the comparison of the theoretical contrast in Table 5 with the experimental contrast in Table 6, the proposed method can overcome the following deficiencies: (1) each share has extra pixel expansion, (2) some methods need extra verifiable shares to authenticate the share, (3) some schemes require a higher encrypting and decrypting computation, and (4) the authentication process needs a trusted third party.

Table 4 Comparison with relative scheme
Full size table
Table 5 Comparisons of theoretical contrast of (kn)-VCS
Full size table
Table 6 The experimental contrast of the proposed (kn)-CIVCS
Full size table

5 Conclusions

Cheating immune visual cryptography scheme (CIVCS) is an interesting technique and has been widely investigated. In this paper, we develop a novel scheme with the ability to detect the potential cheater by stacking any two verifiable shares in several ways, including rotating one of the two shares by \(90^{\circ }\), \(180^{\circ }\), and \(270^{\circ }\) counterclockwise. What’s more, the proposed scheme addresses the following disadvantages: (1) each share has extra pixel expansion, (2) some methods need extra verifiable shares to authenticate the share, (3) some schemes require a higher encrypting and decrypting computation, and (4) the authentication process needs a trusted third party. Finally, we prove theoretically and experimentally that the proposed scheme is a valid construction. Since parts of white pixel are turned into a black one in encryption process, the visual quality of recovered secret image is poor. Improving the contrast of recovered secret image will be the future work.