An Efficient Multi-Secret Image Sharing System Based on Chinese Remainder Theorem and Its FPGA Realization

Multi-Secret Image Sharing (MSIS) is important in information security when multiple images are shared in an unintelligible form to different participants, where the images can only be recovered using the shares from participants. This paper proposes a simple and efficient (<inline-formula> <tex-math notation="LaTeX">$n,n$ </tex-math></inline-formula>)-MSIS system for colored images based on XOR and Chinese Remainder Theorem (CRT), where all the <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula> share are required in the recovery. The system improves the security by adding dependency on the input images to be robust against differential attacks, and by using several delay units. It works with even and odd number of inputs, and has a long sensitive system key design for the CRT. Security analysis and a comparison with related literature are introduced with good results including statistical tests, differential attack measures, and key sensitivity tests as well as performance analysis tests such as time and space complexity. In addition, Field Programmable Gate Array (FPGA) realization of the proposed system is presented with throughput 530 Mbits/sec. Finally, the proposed MSIS system is validated through software and hardware with all statistical analyses and proper hardware resources with low power consumption, high throughput and high level of security.

reveal more information [10]. Cheng et al. used shares in the shape of Quick Response (QR) codes, which do not raise suspicion [11]. While sharing one image is enough for some applications, other applications require multiple images sharing with increased security by building a dependency between the secret images.
Furthermore, Multi-Secret Image Sharing (MSIS) was introduced, where multiple images are shared at the same time instead of only one image. In recent (n, n)-MSIS systems, multiple methods of secret sharing are used. Sridhar and Sudha used a random grid approach to share two images as circular shape shares instead of rectangular shape [12], and Liu et al. combined it with polynomial-based SIS [13]. Another method is the XOR-based MSIS, where a mask is created from the secret images by XORing them and using a masking function, where CRT is the commonly used masking function [14]. The mask is then XORed with each of the secret images to create the shared images. In recovery, the mask is recovered by XORing the shared images, but it was restricted to an even number of input images.
Additional research on MSIS tried to increase the security and remove the restriction of an even number of inputs without changing the CRT masking function. Prasetyo et al. added a random image to the inputs to make them even, and encrypted input images using chaotic maps to increase the security of the system [15]. Prasetyo and Hesia used generalized chaotic scrambling on input images to ensure that the inputs to the MSIS module are even [16]. Prasetyo and Guo used chaotic scrambling on input images before the CRT [17]. Additionally, Guo et al. improved the security by using two masks and added beta chaotic map to perform confusion and diffusion on input images [18]. Those discussed systems only used CRT to create a mask from the modified and XORed input images. Accordingly, the masking function is a good candidate for enhancements to improve security. Sharobim et al. proposed an (n, n)-MSIS system based on CRT and S-box, where they used SHA-256 to build dependency on the secret images and added S-box after CRT [19].
Field Programmable Gate Arrays (FPGAs) are advantageous to general purpose computers because of their low power consumption, high throughput, design flexibility, low development per-unit costs, high speed, immunity to noise and a high degree of security [20], [21], [22], [23], [24], [25]. In addition, making portable, compact systems is made possible by a chip's ability to be programmed [26]. Hence, this encourages their utilization for optimized digital realizations of information security systems [25]. Specifically, few researchers implemented secret sharing systems on FPGA. In [27], the authors constructed a modified secret sharing strategy based on matrix projections and neural networks. The design used parallel hardware architecture and was tested on Virtex 6 XC6VLX760. Their implementation reduced memory requirements to store precalculated constants by 16 times through switching from a finite simple Galois field to a complex field. In [28], the authors utilized cloud of clouds for a secret sharing system. This approach makes the system accessible over the network. The system was implemented on Xilinx Zynq-7000 AP SoC XC7Z020-CLG484. The proposed design uses Multi-Party Computation (MPC), which allows data from multiple sources to be used in secure computation. This keeps the original data protected and only displays the result, which facilitates shared use of data sets gathered by various entities.
This paper proposes an MSIS system, which increases the system security by adding levels of encryption to the masking function along with the CRT, without manipulating the secret images with complicated operations. The proposed system is simple, efficient, and works with different image sizes and number of shares, in addition to having a novel design of a long and sensitive system key for the CRT. The FPGA implementation provides low power consumption, high throughput, high speed, and high level of security. In addition to using the security analysis tests that are commonly used in the MSIS literature, more security and performance analysis tests are used to evaluate the proposed system. The results and comparisons demonstrate the efficiency and improved security of the system.
The remainder of this section describes the necessary background for XOR-based MSIS and CRT. The following section presents the proposed (n, n)-MSIS system, while Section III describes its hardware implementation on FPGA. Section IV gives the security analysis results, and Section V discusses the performance analysis results. Section VI presents comparisons with previous schemes, and finally, Section VII gives the conclusions and future research directions.

A. XOR-BASED MSIS AND CRT
In the XOR-based MSIS system in [14], the generation stage works as: where M is the mask, I 1 , I 2 , · · · , I n are the secret images, and S 1 , S 2 , · · · , S n are the shared images. In the recovery stage, the recovered images, R 1 , R 2 , · · · , R n , are recovered using: where the recovery is lossless (M r = M ) for an even value of n. The CRT encrypts color images by solving the following system of congruences for each pixel: x ≡ G mod k 2 , (3b) where R, G, and B are the pixel values for the red, green, and blue channels, respectively, and k 1 , k 2 , and k 3 are pairwise relatively prime subkeys. The steps for solving the system of congruences using CRT are [29]:

II. PROPOSED SYSTEM
The proposed (n,n)-MSIS system uses several delay units and modifies the masking module by adding dependency on the input images to increase the security. The system includes two main generation and recovery schemes, which utilize a common masking module, J. The proposed system works for both even and odd number of input images, n. Figure 1 shows the system in case of even n, where in generation, the secret images {I 1 , I 2 , · · · , I n } are XORed together, with delay, to get the image T 1 represented as: where all equations are applied to the R, G, and B channels of each pixel, 1 ≤ j ≤ HW , and H and W are the height and width of the images, respectively. At j = 0, the value of T 1 is assumed to be 0. T 1 is then used as input to the masking module J, along with the system key, to generate the mask image E as: The masking module, J, is shown in Fig. 2, and it includes the following three steps: An addition mod 256 is used to preserve the 8 bits for each channel and P sum is used to create sensitivity where any small change in T 1 leads to a totally different T 2 . Finally, the CRT, which is described in Eqs. (3) and (4), is used to encrypt T 2 and get the mask E.
Since the CRT requires that the subkeys k 1 , k 2 , and k 3 be pairwise relatively prime integers, the following method is designed to generate them from a single integer K . First, a unity bit is concatenated to the right of the input key K , which can be of any length, leading to the first odd subkey, k 1 . Next, k 2 and k 3 are generated such that k 2 = k 1 + 1 and k 3 = k 1 + 2. Using the Euclidean algorithm, it can be easily proven that the three subkeys generated in this manner are pairwise relatively prime [29]. Having one key for the system is more secure, sensitive, and user-friendly than having multiple keys. Since P R , P G , P B and P in Eq. (4f) are calculated from k 1 , k 2 , and k 3 and are the same for all the image pixels, they are calculated once in the system, which make the system faster and more efficient.
After finding x using the CRT, its value is reduced mod 256 and saved in the three channels of the corresponding pixel in the mask image E. Finally, E is XORed with each of the secret images, with delay, to generate the shared images {S 1 , S 2 , · · · , S n } as: where the value of S i is assumed to be 0 at j = 0. The delay is added to improve the system security because every pixel from the input secret images affects all upcoming pixels of T 1 [30]. Moreover, every input and masking pixel affects all upcoming pixels of the shares. In the recovery scheme for even n, the shares are XORed together to get the image T 1 that is used as input to the masking module, along with the system key, to recover the mask image E. Finally, E is XORed with each of the shared images, with delay on S i , to get the recovered secret images {R 1 , R 2 , · · · , R n } using: The system for odd number of images n is shown in Fig. 3, where two masks {E 1 , E 2 } are used by adapting the method proposed in [17] to incorporate the effect of delay as follows.
In the generation scheme: In the recovery scheme:

III. HARDWARE IMPLEMENTATION
This section illustrates the hardware architecture for the generation and the recovery schemes, where the input images are stored in 4 block RAMs I 1 , I 2 , I 3 and I 4 in case of the generation and S 1 , S 2 , S 3 and S 4 in case of the recovery. Each block RAM has 24 bits data width and 65536 memory depth to store a 256 × 256 RGB image.

A. GENERATION SCHEME
The generation scheme, shown in Fig. 4(a), consists of 3 stages. The first stage involves bit-wise XORing the four images as well as the previous T 1 . The total of each channel of T 1 is accumulated in the 8-bit register P sum until the block RAM's end is reached. Then P sum is added to each of the channels of T 1 after it has been regenerated. The subkeys k 1 , k 2 and k 3 in Eq. (4a) are used to calculate the 390-bit registers P R , P G , P B and P. Then, the CRT in Eq. (4f) is applied and the result's least significant byte is saved in the 8 × 65536 block RAM E.
In stage 2, I 1 , I 2 , I 3 , and I 4 are XORed with S 1 , S 2 , S 3 and S 4 , respectively and with the corresponding location in E. In stage 3, each of S 1 , S 2 , S 3 and S 4 are buffered and sent to the PC using Universal Asynchronous Receiver-Transmitter (UART).

B. RECOVERY SCHEME
The recovery scheme is show in Fig. 4(b), where in stage 1, the register Delay does not exist. As for stage 2, the register Delay holds the value of the inputs, i.e., secret shares, and there are no changes in stage 3.

C. EXPERIMENTAL VALIDATION
Each scheme is realized in Verilog hardware description language and implemented on Genesys2 XC7K325TFFG900-2 FPGA [31]. The schemes operates at a maximum frequency of 22.09 MHz with a throughput of 530 Mbit/s. The generated   bit-stream is sent over a UART channel so that each output image from the generation and recovery schemes is compared to the output of the corresponding software according to the setup in Fig. 5. The hardware resources utilization of the generation and recovery schemes are given in Table 1, which shows that both schemes have almost the same utilization.
The system was tested on (2,2), (3,3), and (4,4) thresholds, where the images {b, e}, {a, c, e}, {a, b, c, d} are used for each threshold, respectively. In the case of (4,4)-threshold for 512 × 512 images, the used four secret images are shown in Fig. 6(a)-(d), and the secret shares generated are shown in Fig. 6(e)-(h). VOLUME 11, 2023   In the following subsections, the results of several statistical tests, such as histograms, entropy, Root Mean Square Error (RMSE), correlation coefficients, and adjacent pixels correlation are analyzed, where some of these tests are not commonly performed in the MSIS literature. Moreover, resistance to differential attacks and key sensitivity results are discussed.

A. STATISTICAL ANALYSIS RESULTS
The histogram of an image shows the distribution of pixel values across the whole image. In the case of (4,4)-threshold for 512 × 512 images, the histograms of a plain image are non-uniform as shown in Fig. 7(a)-(c) for the three channels of the secret image, I 1 . For a strong encryption system, the histograms of encrypted images must be uniform [33]. The histograms of the three channels of the share S 1 are shown in Fig. 7(d)-(f), where all the other shares show similar uniform histograms.
Entropy measures the randomness of image pixels and is measured using: where P(i) is the probability of the pixel value i. The encrypted images of a good encryption system should have entropy values close to 8 to eliminate the predictability [34].  Table 3 shows the entropy of the secret images and the shares, where the entropy of the shares approach the expected value of 8. RMSE is used to measure the difference between two images x and y using: where W and H are the width and height of the images, respectively, and zero RMSE means identical images [34].
Correlation is used to measure the degree of similarity between two vector variables x and y and it is calculated using: where n is the length of the two vectors, Cov is the covariance and ρ is the correlation coefficient. The range of correlation coefficient is [−1, 1], where 0 means no correlation, and it is the desired value for a strong encryption system [34]. Table 4 shows the average results for different number of shares and image sizes. The entropy is near 8 which is the desired value, correlation tends to zero, and RMSE is high, which is an indication of good system security.
Correlation is also measured between adjacent pixels in horizontal, vertical, and diagonal directions [33]. Table 5 shows high correlations between pixel pairs in each direction and channel of the secret images, and the corresponding values for the secret shares approach zero. Figure 8 shows the scatter diagrams of the red channel in secret image I 1 and share S 1 across the three directions in the case of (4,4)threshold with size of 512 × 512, whereas the other secret images and shares have similar diagrams in different directions and channels. The correlation results demonstrate the achieved weak correlation between adjacent pixels of the shares in all directions.

B. RESISTANCE TO DIFFERENTIAL ATTACKS
Differential attacks rely on observing the change in the encrypted image when a change is made in the original image. For a strong encryption system, a change of a bit in the original image must lead to a complete change in the encrypted image. The Number of Pixel Change Rate (NPCR) is used to measure the percentage of change between two images E 1 and E 2 and is calculated by: where W , H are the width and height of images, respectively, and E 1 (i, j) is the pixel value at location (i, j) and a good encryption system must give values close to 99.61% [35]. Another metric is the Unified Average Changing Intensity (UACI) which measures the average difference of intensities between two images E 1 and E 2 and is calculated by: where a good encryption system must have values close to 33.46% [35]. The differential attack tests were performed by changing the Least Significant Bit (LSB) of a random pixel in a random channel of a random secret image. Then, NPCR and UACI are measured between shares generated from the original secret images and the shares MS i generated from the modified secret images. The experiment was performed 200 times with randomly changed locations and the average values of NPCR and UACI are as required as shown in Table 6 for the case of (4,4)-threshold for 512 × 512 images. It should be pointed out that UACI and NPCR were measured by the previous schemes as statistical measures between secret images and secret shares, which is conceptually similar to the information provided by the correlation and RMSE measures.

C. KEY SPACE AND SENSITIVITY
Any key size can be used in the proposed system, but a key size of 128 bits or more is required to resist brute-force VOLUME 11, 2023   Correlation of adjacent pixels in secret images and shares of (4,4)-threshold for 512 × 512 images.

TABLE 6.
Measures for differential attacks in the case of (4,4)-threshold for 512 × 512 images. attacks [36]. The key space has a size of 2 k where k is the number of bits of the used key. Key sensitivity is tested by changing the LSB of the key and measuring the Mean Squared Error (MSE) between the images recovered by the original key, R i , and the images recovered by the modified key, MR i [33]. The MSE is calculated using the square of Eq. (13). The key is sensitive as demonstrated by Table 7 giving the large MSE results and the images recovered by the modified key in the case of (4,4)-threshold for 512 × 512 images.

V. PERFORMANCE ANALYSIS
The time complexity of the proposed scheme depends on the dimensions of the secret images H × W , where H and W are the height and the width of the images, respectively. The time complexity is O(H × W ) because the proposed system only scans the images and performs constant-time operations on separate pixels. The space complexity also depends on the dimensions of secret images and, hence, it is O(H × W ). Table 8 shows average runtimes of 20 runs for different input numbers and dimensions using the system specifications (Windows 11, Intel Core i7-10750H CPU @ 2.60GHz, 15.8 GB RAM, Python programming language, and JupyterLab IDE). When the number of secret images is even, 2n, the runtime is not significantly affected by increasing n. However, when the number of secret images is odd, 2n + 1, the total runtime of generation and recovery is about double that of the 2n case because the masking is performed twice. It should also be noted that the recovery time is less than the generation time because the direct XOR on the shares requires less computational power.

VI. COMPARISON
To compare the proposed system, the same images used in previous MSIS systems are used in the case of (4,4)-threshold. The previous systems only presented the results for (4,4)-threshold and size of 512×512. The comparison is with the previous schemes presented in [14], [15], [17], and [18], where some references presented several schemes, and the results of the last scheme in each reference is used in comparison. Table 9 shows the RMSE between the secret images and the shares, and between the shares, where the proposed system  results are comparable to or better than the previous schemes. Table 10 shows the correlation between the secret images and the shares, and between the shares, where the table demonstrates the good results of the proposed system compared to the previous schemes. It should be noted that some previous schemes only reported 2 or 3 Decimal Points (DP), which is insufficient as the results reported were 0.00 and 0.000.

VII. CONCLUSION
This paper introduced a simple, secure and efficient (n,n)-MSIS system of colored images, by adding several delay units and input dependency to the commonly used CRT masking function. The system works with even and odd number of inputs, and a secure and sensitive key for the CRT was designed. The system was implemented on Genesys2 (XC7K325TFFG900-2) FPGA and operates at a maximum frequency of 22.09 MHz. The output bit stream of the FPGA implementation was verified against the software simulation.
The system successfully passed all security analysis tests that are used in previous literature, and also passed additional security and performance analysis tests. The FPGA implementation provides low power consumption, high throughput, high speed, and high level of security. In future work, further improvements can be made in which the number of output shares can be different from the number of secret images or other thresholds can be used.