A Lossless Linear Algebraic Secret Image Sharing Scheme

A (k, n)-threshold secret image sharing scheme is any method of distributing a secret image amongst n participants in such a way that any k participants are able to use their shares collectively to reconstruct the secret image, while fewer than k shares do not reveal any information about the secret image. In this work, we propose a lossless linear algebraic (k, n)-threshold secret image sharing scheme. The scheme associates a vector vi to the ith participant in the vector space F k 2α , where the vectors vi satisfy some admissibility conditions. The ith share is simply a linear combination of the vectors vi with coefficients from the secret image. Simulation results demonstrate the effectiveness and robustness of the proposed scheme compared to standard statistical attacks on secret image sharing schemes. Furthermore, the proposed scheme has a high level of security, errorresilient capability, and the size of each share is 1/k the size of the secret image. In comparison with existing work, the scheme is shown to be very competitive.


Introduction
A secret sharing scheme is any method of distributing a secret amongst a number of participants in such a way that any authorized group of participants can recover the secret, while unauthorized sets of participants are unable to obtain any information about the secret using their shares. In a k-out-of-n secret sharing scheme, there are n participants and every collection of k or more participants is authorized to recover the secret, while fewer than k participants constitute an unauthorized set. The number k is referred to as the threshold and the scheme is usually referred to as a (k, n)-threshold secret sharing scheme, or a (k, n)-scheme for short. While there exist other approaches such as those where authorized sets of participants are specified by properties other than merely the size of the subset, in this work we focus on (k, n)-schemes.
The concept of secret sharing was introduced in 1979 independently by Shamir (1979) and Blakley et al. (1979). Shamir's method is based on polynomial interpolation in the field F p of integers modulo p, whereas Blakley's method is based on hyperplane geometry. In the early eighties, Mignotte (1982) and Asmuth and Bloom (1983) proposed a threshold secret sharing approach based on the Chinese remainder theorem. Secret sharing schemes are important primitives in a number of cryptographic applications such as threshold signature (authentication) schemes (Desmedt and Frankel, 1991), access control (Naor and Wool, 1998), electronic voting (Schoenmakers, 1999), distributed storage systems (Wylie et al., 2000), etc.
Because of the widespread use of digital images, development of secret image sharing schemes (SIS) where the secret is a digital image have attracted the attention of researchers. In the context of an SIS, shares are often referred to as shadow images. We refer to a (k, n)-threshold secret image sharing scheme as a (k, n)-SIS for short. There are challenges specific to secret image sharing. For example, secret sharing was originally introduced for sharing cryptographic keys, thus sizes of shares were not much of a concern. On the other hand, since digital images are typically large, one is concerned with how large each shadow image is in comparison to the original secret. While Shamir's scheme produces shares of the same size as the secret itself, Thien and Lin (2002) proposed a (k, n)-SIS inspired by Shamir's scheme whose shadow images are of size 1/k the size of the secret. Lin and Tsai (2004) extended Shamir's scheme in proposing a secret image sharing scheme with the capabilities of steganography and authentication. Chang et al. (2008) showed that this scheme suffers from weak authentication and low quality of stego-images. In Bai (2006), Bai proposed a (k, n)-SIS based on matrix projection in conjunction with Thien and Lin's approach (Thien and Lin, 2002). del Rey (2008) proposed a (2, n)-SIS using binary matrices. Rey's scheme is shown to suffer from some drawbacks if the matrices are not of low enough rank (Elsheh and Hamza, 2010). Many Shamir-based SIS use arithmetic in the fields F 251 or F 257 to accommodate 8-bit intensity values of digital images. This choice renders such schemes lossy since they involve truncation of some values. Hu et al. (2012) proposed a lossless (k, n)-SIS over the Galois field F 2 8 . In El-Latif et al. (2013), Abd El-Latif et al. proposed a secret image sharing scheme based on random grids and error diffusion and a chaotic cat map for the generation of meaningful shadow images. Wu (2013) proposed a variant of Thien-Lin's scheme (Thien and Lin, 2002) which uses prime number 257 as a replacement for 251 in Thien-Lin's approach. Wu's scheme has a low distortion rate, and is more applicable for light images (Wu, 2013). However, due the overflow caused in the generation phase of this scheme, reconstruction of the secret image is more computationally intensive than in the case of Thien-Lin's scheme. In Zarepour-Ahmadabadi et al. (2016), Zarepour-Ahmadabadi et al. proposed an SIS based on cellular automata. Deng et al. (2017) proposed a (2, n)-threshold SIS based on basic vector operations and coherence superposition. Kanso and Ghebleh (2017) proposed a variant of Thien and Lin's scheme based on cyclic shifting to improve the quality of the reconstructed secret image. Kabirirad and Eslami (2018) proposed a multi secret SIS based on Boolean operations whose drawback is that each generated shadow image has the same size as the secret image. Ghebleh and Kanso (2018) proposed a (k, n)-SIS based on Shamir's approach and arithmetic in a field F p where p is a large prime, to facilitate the use of (concatenated) multiple intensity values of the secret image as a single coefficient. While still lossy, this method enhances the quality of the reconstructed secret. Ding et al. (2018) proposed a scheme based on matrix theory and Shamir's construction. Recently, Kanso and Ghebleh (2018) proposed a (k, n)-threshold secret sharing scheme for medical images based on Shamir's approach and the high redundancy in medical images. Some secret image sharing schemes such as Chang and Hwang (1998), Chang et al. (2006), Chen et al. (2009), Le et al. (2011 employ vector quantization (VQ) methods (Gray, 1984;Gersho and Gray, 2012;Simić et al., 2018) to compress the secret image, which results in further reduction in the sizes of the shadow images.
A majority of existing secret image sharing schemes in the literature are based on one of Shamir's (1979), Blakley's et al., (1979), Mignotte's, (1982 and Asmuth and Bloom's, (1983) approaches. Furthermore, many of the existing schemes are lossy and restore the secret image with some distortion which may not be acceptable in certain applications. Moreover, some existing SIS suffer from weak authentication and security issues. The aim of this research is to present a secret sharing scheme that has improved performance over existing work.
In this paper, we propose a lossless linear algebraic (k, n)-SIS. As illustrated later, the proposed scheme is a generalization of Shamir's secret sharing scheme based on polynomial interpolation. The scheme associates a vector v i to the ith participant in the kdimensional vector space F k q over the Galois field F q , where q is a power of 2. The ith share is then computed as a linear combination of the vectors v i with coefficients computed from the secret. For the threshold property of secret sharing, and for security of shares, some admissibility conditions (such as linear independence of certain sets) are enforced on the vectors v i . Empirical results presented in the paper illustrate the proposed scheme's performance. These include security of shadow images and the recovery process. More specifically, it is shown that the produced shadow images satisfy randomness properties which in turn means that the shadow images do not reveal any meaningful information about the secret image. Moreover, shadow images have little or no correlation. It is also shown that any unauthorized collection of shadow images fails to produce any information about the secret image. The proposed scheme is lossless, which means that it can be used for sharing any type of digital data (as secret), including text and binary files such as compressed images generated via vector quantization.
The paper is organized as follows: In Section 2, we present the necessary background and notation. Section 3 provides a detailed description of the proposed scheme. Simulations are presented in Section 4 to showcase the efficiency of the scheme, the properties of the generated shadow images and security analysis. Section 5 presents a comparison of the scheme with existing work. Finally, we end the paper with some concluding remarks.

Background and Notation
We propose a secret image sharing scheme based on Shamir's approach (Shamir, 1979). In this section we lay out the necessary background and notation, as well as differences between the proposed scheme and Shamir's scheme. Shamir's (k, n)-scheme is based on polynomial interpolation in the field F p where p is a prime number. To share secret D ∈ {0, 1, . . . , p − 1}, a polynomial f (x) = a 0 + a 1 x + a 2 x 2 + · · · + a k−1 x k−1 is chosen at random with a 0 = D. Then the values f (i) where i ∈ {1, 2, . . . , n} are computed and distributed to the participants as shares. With the obvious conditions that k n < p, the polynomial interpolation theorem guarantees that every k shares suffice to recover f (x), and in particular the secret D. Following the notation of Spiez et al. (2009), Schinzel et al. (2010, this can be generalized by fixing pairwise distinct nonzero values x 1 , x 2 , . . . , x n ∈ F p and using y i = f (x i ) as the ith share. With this notation, computation of shares can be summarized as Let a = (a 0 , a 1 , . . . , a k−1 ), y = (y 1 , y 2 , . . . , y n ), and X be the n × k matrix in the above equation. For convenience, we identify vectors such as a and y with their row or column matrix representation. Then the above equation can be written as Simple linear algebra gives the following: • For guaranteed recovery of the secret a 0 from any k shares, all k × k submatrices of X must be nonsingular. While in the field of real numbers this condition is satisfied by the assumption that the components of the track x = (x 1 , x 2 , . . . , x n ) are positive and pairwise distinct, in a finite field F this is not necessarily the case. For example, the matrices 1 3 2 1 4 2 and ⎛ ⎝ 1 3 2 3 3 1 5 2 5 3 1 6 2 6 3 ⎞ ⎠ are singular over F 7 . • If a (k − 1) × (k − 1) submatrix of X induced by the rows 2, 3, . . . , k and columns j 1 , j 2 , . . . , j k−1 is singular, then the k − 1 shares y j 1 , y j 2 , . . . , y j k−1 suffice to recover the secret a 0 . Thus for the threshold property of the secret sharing scheme to be satisfied, we need all such (k − 1) × (k − 1) submatrices of X to be nonsingular.
The track x = (x 1 , x 2 , . . . , x n ) is said to be admissible if it satisfies the nonsingularity conditions discussed above. Admissible tracks are studied in Schinzel et al. (2010), Spież et al. (2012).
In this work, we consider a general matrix X for computation of the shares vector y. By destroying the algebraic relations between columns of X, this idea allows more "randomness" in the shares, thus potentially making the scheme more secure. On the other hand, the lack of algebraic relations in X renders the theoretical study admissibility impractical, and each X must be verified directly. We propose to choose X randomly from the set of all n × k matrices over the given field, then check its admissibility. If the field has large enough cardinality, this process has a high probability of success. Thien and Lin (2002) proposed a secret image sharing scheme (SIS) where all coefficients of the polynomial f (x), namely components of a, are chosen from the secret. As long as the secret image is properly shuffled to eliminate correlations between entries of a, this scheme works similarly to Shamir's scheme with the following two advantages: • While in Shamir's scheme each share has the same size as the secret, shares of Thien and Lin's scheme have size 1/k of the size of the secret. • A singular (k − 1) × (k − 1) submatrix of X would compromise the threshold property only for one coefficient a i which is only part of the secret. So while admissibility of X must be checked, if it is overlooked, it does not necessarily compromise the whole secret.
We follow the same approach in this work and pick all components of the vector a from the shuffled secret image. Since a digital image typically has a large size compared to the parameters k and n of the scheme, elements of the secret are processed k at a time. This can be utilized by allowing y and a to have more than one column. More specifically, we write the proposed SIS as where S is a k × m matrix obtained by padding, shuffling, and reshaping the secret image, X is an admissible n × k transformation matrix, and the n × m matrix Y is the matrix of shares, whose ith row constitutes the ith share.
The final difference between the proposed scheme, Shamir's, and Thien and Lin's schemes is the use of the field F q where q = 2 α instead of F p where p is a prime. Since digital media typically contain values from a domain {0, 1, . . . , 2 α − 1}, the use of a field F p involves truncation of some values which renders such secret sharing schemes lossy. Depending on the application, this might be acceptable or not. While computations in F p are faster, the field F q where q = 2 α is the natural choice for a lossless scheme. Since digital images typically consist of bytes of information, it is convenient for α to be a multiple of 8. If α = 8β, the entries s ij of the matrix S are each a concatenation of β entries of the secret image.
It should be noted that as mentioned above, for the random selection of the transformation matrix X to have a high probability of admissibility, the field F q must have a large cardinality. In the empirical analysis presented in this work we choose α = 16 and carry all computations in the field F q where q = 2 16 .

The Proposed Scheme
Following the notation of the previous section, the proposed SIS is summarized as where X is an admissible transformation matrix, S is the secret image (subjected to concatenation of entries, shuffling, padding and reshaping), and Y is the shares matrix. All these matrices have entries from a field F q where q = 2 α = 2 8β for some chosen parameter β. In this section, we present in more detail the generation of the matrices X and S, and the generation of shadow images using them. For added security, the secret image may be divided into several blocks, where each block is processed separately (with an independent transformation matrix X). In this case a parameter m specified by the user defines the number of columns of the matrix S corresponding to each block. The parameters of the proposed scheme which are kept constant throughout this section are the number β of bytes in each entry of S, the number n of the participants, the threshold k, and the block size m. With fixed β, we also fix an ordering of the elements of the field F q where q = 2 8β , say to move between the field F q and the group Z q of integers modulo q.

The Cat Map
Arnold's cat map (Arnol'd and Avez, 1968;Rong and Xiaoning, 1998) is a chaotic map studied extensively in the literature. It is known to generate pseudo-random numbers which are essential in cryptographic applications (Chen et al., 2004;Kanso and Ghebleh, 2012, 2013, 2015. Chen et al. (2004) proposed a 3-dimensional generalization of the cat map defined by where x i is the state vector of the map whose entries are in the interval [0, 1), and is defined using positive integer parameters a x , a y , a z , b x , b y , b z . It is known (Chen et al., 2004;Kanso and Ghebleh, 2012) that iterated applications of this map generate a pseudorandom sequence of values in the interval [0, 1) by taking components of the state vector.

Generation of the Transformation Matrix X
An admissible transformation matrix must be generated for each block of the secret. To avoid unnecessary complications, we refrain from including a block index in the notation and refer to this matrix simply as X. Let v i denote the ith row of X where 1 i n. For X to be admissible, the following conditions must be satisfied: The condition (A1) means that every k of the vectors v 1 , . . . , v n must be linearly independent in the vector space F k q . One would imagine that for this condition to be satisfied, n cannot be too large. On the other hand, provided that F q has large enough cardinality, this does not pose a practical restrain on the proposed scheme. Indeed it is known (Maneri and Silverman, 1966) that the maximum number of such vectors (the maximum possible choice of n) is at least |F q |+1 = 2 8β +1 which is much larger than practical requirements of an SIS.

Algorithm 1: Generation of a transformation matrix
Data: Parameters β, k, n and m of the scheme Data: Cat matrix A and initial state x 0 Result: An admissible matrix X Let be the sequence of elements of F q corresponding, according to Eq. (2), to elements of R . 8 Reshape the first nk elements of into a n × k matrix X. 9 if X is admissible then 10 Return X 11 else 12 Goto line 2. 13 End.
Our approach for generation of an admissible transformation matrix X, as described in Algorithm 1, is to populate a n × k matrix by randomly chosen nonzero elements of F q , then to test whether this matrix is admissible. If not, the matrix at hand is simply discarded and a new one is generated. The simple structure of the cat map used to generate Table 1 The ratio of admissible matrices X out of 10000 randomly generated n × k matrices. pseudo-random numbers accommodates fast generation of these matrices. On the other hand, testing admissibility is more computation-intensive since it involves verifying nonsingularity of all k×k and (k−1)×(k−1) submatrices. Our experimental results presented in Table 1, with β = 2 and small values of k and n, show that with high probability, the first generated matrix is indeed admissible.

Generation of the Matrix S
The matrix S of Eq. (1) is generated from the plain secret image P . Since S is of size k×m, it contains b = mkβ bytes of P . We assume P is padded in preprocessing so that its size in bytes is a multiple of b. The plain secret image P is also shuffled in preprocessing. The shuffling is performed according to the outputs of the cat map as follows. A pseudorandom sequence R of length |P | is generated similarly to lines 1-5 of Algorithm 1 with initial state x 0 , then a permutation π is found which sorts R. The shuffled image Q is obtained by applying the permutation π on P . For each block, a matrix S is generated using the next b bytes of Q. Algorithm 2 presents details of this process. Again we refrain from indicating a block index in the naming of variables such as S to avoid cumbersome notation.

Generation of Shadow Images
For each block, with the matrices X and S in hand, the share matrix Y can be computed according to Eq. (1). For each 1 i n, the ith row of the resulting matrix Y constitutes a block of the ith share. The ith shadow image is generated from the collection of all such rows by converting each element to an integer via the correspondence of Eq. (2), then breaking each integer value to β bytes. For added security we shuffle the ith shadow image according to a pseudo-random sequence R (i) of length 1 k |P | generated similarly to lines 1-5 of Algorithm 1 with initial state x (i) 0 . Let π (i) denote the permutation which sorts R (i) . We denote the shuffled shadow image that is obtained by applying π (i) to the ith shadow image by H i . The share (shadow image) H i may be reshaped to a rectangular array for presentation as an image.

Secret Key
The secret key of the proposed scheme consists of the parameters a x , a y , a z , b x , b y , b z of the cat matrix, as well as the initial states x 0 , x 0 and x (i) 0 , where 1 i n. It should be noted that for added security, different cat matrices may be used for the preprocessing (shuffling) and the transformation matrices.

Recovery of the Secret Image
We assume that the secret key of the scheme is held at a central authority and is released upon the presentation of shadow images by any authorized set of participants. Suppose that k shadow images H i 1 , H i 2 , . . . , H i k are presented to the central authority. The recovery of the secret image is carried out as follows.
• Apply the inverse of the shuffling permutation π (i j ) on each shadow image H i j , for 1 j k. • Each shadow image is converted to a sequence of elements of F q by grouping every β bytes into a single integer, and via the correspondence in Eq.
(2). The resulting sequences are then broken-up into blocks, using which a k×m submatrixỸ of the matrix Y associated with each block are obtained. More specifically, eachỸ consists of the rows i 1 , i 2 , . . . , i k of the corresponding matrix Y . • Using the secret key, the matrix X associated with each block is constructed. We then letX be the k × k submatrix of X induced by the rows i 1 , i 2 , . . . , i k . • By Eq. (1), we haveỸ =XS. On the other hand, by admissibility of X, the matrixX is nonsingular. Thus we may compute S = (X) −1Ỹ .
• By reversing the transformation of Algorithm 2, the shuffled secret image Q is reconstructed block by block. The plain secret image P is now obtained by generating the shuffling permutation π and applying its inverse on Q, then removing the padding.

Delivery of Shares
As outlined above, the secret image can be easily reconstructed upon the presence of the secret key and at least k shadow images. Therefore, the security of the proposed scheme is compromised if an unauthorized party gets hold of the shares. Therefore, the dealer must securely transmit each shadow image H i to its corresponding participant. Depending on the application, this can be accomplished using a secure channel, a cryptographic scheme through a public channel such as one of those proposed in Chen et al. (2004), Kanso and Ghebleh (2012), Fu et al. (2018) or a steganographic scheme which hides the presence of shadow images such as one of those proposed in Ghebleh and Kanso (2014), Fridrich et al. (2002).

Performance Analysis
In this section, we demonstrate the efficiency of the proposed scheme and its robustness against a number of attacks. The simulation results are based on the following parameters: the number of bytes per value β = 2, the number of participants n = 6, the threshold (minimum number of participants in an authorized set) k = 4, and m = 1024. For the tests presented in this section, we use the cat matrix Recall that each block of the process involves mkβ = 8192 bytes of the secret, resulting in 4096 elements of the field F q with q = 2 16 . Consider the standard grayscale image Lena of size 512 × 512 presented in Fig. 1 to be the secret image. Then each shadow image consists of 65536 bytes since the size of each share is 1/k the size of the secret. For presentation, each H i (1 i n) is reshaped into a 256 × 256 matrix also denoted by H i . Figure 2 depicts the six shadow images corresponding to the test image Lena.

Histogram Analysis
The histogram of a given digital image displays the distribution of its tonality. For a meaningful image such as the test Lena image, the histogram shows non-uniform distribution of its tonality, and hence one can derive some information about the content of the image. However, for a truly random image the histogram is almost flat, so no useful information about the image can be derived from it. This test shows that the histogram of each shadow  image is almost flat, that is the intensity values are uniformly distributed in {0, 1, . . . , 255}. Hence, no useful information about the secret can be derived from the shadow images. Figure 3 depicts the histograms of the test image Lena and one sample shadow image from H 1 , H 2 , . . . , H 6 . The histograms of the other shadow images show similar behaviour.

Correlation Analysis
Correlation analysis is a randomness test that identifies the strength of relationships between adjacent pixels. Meaningful images such as the test image Lena possess high correlation between adjacent pixels. This test shows that shadow images generated by the proposed scheme have almost no correlation between adjacent pixels. Consider a sample shadow image, and select N = 10000 random pairs of adjacent pixels x i and y i in the horizontal, vertical and diagonal directions. The correlation coefficient between the two sequences {x t } N t=1 and {y t } N t=1 is given by where μ x and μ y denote the mean values of x and y, respectively; σ x and σ y denote their standard deviations, and E[·] is the expected value. The correlation coefficient C xy ∈ [−1, 1], where a value 0 indicates no correlation and a value ±1 indicates complete correlation between the two sequences. Table 2 presents the correlation coefficients between {x t } N t=1 and {y t } N t=1 in (i) the Lena image and (ii) the shadow images. This table shows that the shadow images are almost free of any correlation between adjacent pixels in the horizontal, vertical and diagonal directions.
Furthermore, Fig. 4 depicts plots of randomly selected adjacent pixels (x t , y t ) in the horizontal, vertical and diagonal directions, where t = 1, 2, . . . , N, for the image Lena and a sample shadow image. In the case of Lena, one can easily observe the accumulation We repeat this test on 100 test images of various sizes and different structures. Each test image results in 6 shadow images. We compute the correlation coefficients between 10000 pairs of adjacent pixels in the horizontal, vertical and diagonal directions for a

Entropy Analysis
Entropy (Shannon, 1951) measures the unpredictability of information content. The entropy H (s) for a source s producing = 2 8 distinct symbols is defined by where P (s i ) is the probability of occurrence of s i in s. This test shows that the entropy measures H (s) for shadow images generated by the proposed scheme are close to those of truly random images i.e. H (s) ≈ 8. Table 3 presents the entropy measures for those images. Hence, it confirms the unpredictability of generated shadow images.
We repeat this test on 100 test images of various sizes and different structures. Each test image results in 6 shadow images. We compute the entropy measure for a sample shadow image from the 6 shadow images. The obtained results are also close to those of truly random images, hence we omit them.

Randomness Analysis
To showcase the randomness of the shadow images generated by the proposed secret sharing scheme, we subject the six shadow images corresponding to the test image Lena to the Statistical Test Suite (STS) published by the National Institute of Standards and Technology (NIST) (Bassham et al., 2010). The outcome of all tests turns out to be satisfactory. Furthermore, we repeat this test on 60 shadow images each of size 256 × 256 obtained from running the proposed scheme on the secret image Lena for 10 different secret keys. Table 4 presents the results of each statistical test.

Similarity Analysis
Similarity measures such as the Number of Pixels Change Rate (NPCR) and Unified Average Changing Intensity (UACI) (Wu et al., 2011) are two common measures used to study the similarity between random looking images. The NPCR and UACI are defined Table 4 Statistical Test Suite results for 60 shadow images corresponding to the test secret image Lena for ten different secret keys. The minimum pass rate for each statistical test with the exception of the random excursion (variant) test is approximately 57 for a sample size 60 sequences. The minimum pass rate for the random excursion (variant) test is approximately 29 for a sample size 32 sequences (Bassham et al., 2010 where P 1 and P 2 are M × N images. It is shown in Wu et al. (2011) that for gray images the ideal PSNR and UACI measures are 99.6094% and 33.4635%, respectively. Furthermore, the acceptance intervals for the null hypothesis for α-level of significance, where α ∈ {0.001, 0.01, 0.05} are as presented in Table 5 (Wu et al., 2011). In this test, we use the NPCR and UACI to measure the similarity between all possible pairs of shadow images corresponding to the test secret image Lena. It can be observed from the resulting measures presented in Table 6 that all measures are close to the ideal PSNR and UACI measures 99.6094% and 33.4635%, respectively.
On the basis of the obtained measures, we conclude that the shadow images generated by the proposed scheme are random-like in comparison with one another.

Security Analysis
The security of the proposed scheme depends on keeping the secret key K 0 and the shadow images secure. In this proposal, the key is held at a central authority and is not shared between the participants. On the other hand, the shadow images are securely transmitted to the participant. An unauthorized person has to get hold of the secret key and at least k shadow images to reconstruct the secret image. Now, guessing the secret key is unrealistic since it consists of six double precision floating point values in the interval [0, 1) which constitute the initial states x 0 and x 0 of the cat map, and six or twelve (depending on whether the same cat matrix is used for the generation of transformation matrices and shuffling the secret image or not) positive integers for parameters of the cat matrix. Furthermore, the final stage which consists of shuffling the shares is accomplished by using the cat map with three initial states and six control parameters for each share. Moreover, Fig. 5 shows the high sensitivity of the cat map to its initial states and control parameters. This figure presents the time series plot of {x t } 100 t=0 and {x i } 100 t=0 generated by the cat map defined in Eq. (3), where |x 0 − x 0 | = 10 −15 . It is evident from this figure that after about ten iterations the two series become far apart from each other. Nonetheless, for security issues, a chaotic map such as the cat map is usually iterated at least 200 times without considering its outputs. Likewise, guessing k shadow images, where each shadow image  Table 7 The running times for encoding secret image of size 2 s × 2 s for s = 8, 9, . . . , 13 into n = 6 shadow images using the proposed scheme with k = 4 and m = 1024. consists of L/k bytes, is equivalent to guess the secret image since one has to guess L bytes (L is the length of the secret).
In the scenario where (k − 1) shadow images are present, the unauthorized set of less than k participants cannot reveal any useful information about the secret image. This is due to the fact that the secret key is unknown and that one of the shadow images is missing. This can be observed from the following example. Consider a single k × m block S which can be obtained as follows: S = (X) −1Ỹ . Now if the k × k submatrixX induced by the rows i 1 , i 2 , . . . , i k of X is unknown and one of the rows ofỸ is unknown, then the probability of guessing the missing elements in F q , where q = 2 16 , correctly is about (1/q) k 2 +m , which renders the brute force attack infeasible for m > 100.

Running Speed
In the proposed (k, n)-threshold SIS, the generation of admissible vectors in F k q is image independent. Therefore, a dealer can generate the number of admissible vectors needed for the encoding of any secret image prior to the encoding process. Now, the complexity of multiplication of an r × s matrix by an s × t matrix is O(rst). Thus, the complexity of computing the n shadow images is O(Lnk). Table 7 reports the running times under the aforementioned scenario for generation of shadow images for a secret image of size 2 s × 2 s for s = 8, 9, . . . , 13. The reported results are obtained using MATLAB R2016a on a desktop machine with an Intel ® Core™ i7-4770 processor and 8 GB of memory, running Windows 10.  Furthermore, Fig. 6 shows the running times for encoding the image Lena into n shadow images using the proposed scheme with k = 4 and m = 2 s , for s = 8, 9, . . . , 15.

Error-Resilient Capability
This section shows that the proposed scheme has some error-resilient capability. If some shadow images were disturbed by some noise such as salt and pepper of ratio 0.05 and 0.1, then the secret image can be reconstructed as shown in Fig. 7.
Furthermore, we show that if some shadow images are cropped by a certain percentage, then the secret image can still be reconstructed. Figure 8 presents a shadow image cropped by 5% and another one cropped by 10%. Figure 9 (left) presents the reconstructed secret image Lena resulting from four shadow images where one of them is cropped by 5%, whereas Fig. 9 (right) presents the reconstructed secret image Lena resulting from four shadow images where one of them is cropped by 10%. Thus, it is evident that the proposed scheme is resistant to the cropping attack.

Comparison with Existing Work
In this section we compare the performance of the proposed approach, referred to by Pr-SIS, with few existing (k, n)-SIS schemes: TL (Thien and Lin, 2002), Wu (2013), KG (Kanso and Ghebleh, 2017), KE (Kabirirad and Eslami, 2018) and GK . All comparisons are performed with (k, n) = (2, 4) with the secret image Pirate of size 512 × 512 presented in Fig. 10. The sizes of the generated shadows images are presented in Table 8.
In Table 9, we present the correlation coefficients between N = 10000 pairs of randomly selected adjacent pixels in the horizontal, vertical and diagonal directions of sample shadow images generated by TL (Thien and Lin, 2002), Wu (Wu, 2013), KG (Kanso and Ghebleh, 2017), KE (Kabirirad and Eslami, 2018), GK  and Pr-SIS. It is evident from this table that all schemes generate shadow images almost free of any correlation between adjacent pixels. Table 10 presents the entropy measures of sample shadow images of the schemes under comparison. Table 11 presents the mean absolute difference of the secret image Pirate and the reconstructed image by the schemes under comparison. This table also presents the Peak Fig. 10. The test image Pirate of size 512 × 512. Table 8 The size of shadow images generated by the scheme under comparison.

H (s)
TL (Thien and Lin, 2002) 7.901762 Wu (Wu, 2013) 7.943923 KG (Kanso and Ghebleh, 2017) 7.908187 KE (Kabirirad and Eslami, 2018) 7.999300 GK  7.999249 Pr-SIS 7.998559 Signal to Noise Ratio (PSNR) and The Structural Similarity (SSIM) measures between the secret image and the reconstructed one (Wang et al., 2004). On the basis of the above results it is evident that the proposed scheme is competitive with existing schemes. Many existing secret image sharing schemes use arithmetics in the finite files F q where q is a suitable prime. This yields in the need for truncation of values and, in turn, in all these schemes being lossy, and hence incapable of applications where the secret is sensitive. The proposed scheme, on the other hand, is defined on the field F q where q is a power of 2. This choice is more suitable for handling binary data since with a proper choice of q one can avoid truncations of values. As shown in Table 8, among the schemes in comparison, only KE is lossless, but it is at a clear disadvantage to the proposed scheme Pr-SIS since each shadow image produced by KE has the same size as the original secret image.

Concluding Remarks
In this research, we propose a lossless linear algebraic (k, n)-SIS which associates a vector v i to the ith participant in the vector space F k q , where q is a power of 2. Admissibility conditions are imposed on the vectors v i to satisfy the threshold property of secret sharing. The scheme is shown to possess a number of characteristics such as robustness against standard statistical attacks, high level of security including sensitivity to its secret key, resilience to errors in shadow images, and reduction in the size of shadow images with respect to the size of the secret image. Another feature of the scheme is being lossless, which enables applications to digital media other than raw images. For example, the proposed scheme can be used for sharing textual data, JPEG images, video, etc.
The proposed scheme is very fast provided the admissibility of the transformation matrix is verified beforehand. This step is independent of the secret image and does not present any security risks to the process of secret image sharing. On the other hand, checking admissibility is costly in general and could be considered as a disadvantage of the proposed scheme if it is not performed independently of the secret sharing itself. Processing time and shadow image size can be further reduced if the proposed scheme is used in conjunction with image compression algorithms such as those based on vector quantization.