Testing the randomness of shares in color visual cryptography

The concept of black-and-white visual cryptography with two truly random shares, previously applied to color images, was improved by mixing the contents of the segments of each coding image and by randomly changing a specified number of black pixels into color ones. This was done in such a way that the changes of the contents of the decoded image were as small as possible. These modifications made the numbers of color pixels in the shares close to balanced, which potentially made it possible for the shares to be truly random. The true randomness was understood as that the data pass the suitably designed randomness tests. The randomness of the shares was tested with the NIST randomness tests. Part of the tests passed successfully, while some failed. The target of coding a color image in truly random shares was approached, but not yet reached. In visual cryptography, the decoding with the unarmed human eye is of primary importance, but besides this, simple numerical processing of the decoded image makes it possible to greatly improve the quality of the reconstructed image, so that it becomes close to that of the dithered original image.


Introduction
The methods of visual cryptography are used to transfer the visual information in a safe way, so that no technical device is needed to decode the secret message. The secret message, or simply the secret, is an image. This secret is coded in a pair of images, from which none contains any information on the secret. When these images are overlaid on one another, the secret image becomes visible to an unarmed human eye.
In the classical visual cryptography introduced by Naor and Shamir [20,21], the secretness of the coded image results from the lack of correlation between the secret and the images in which the secret is coded. This lack of correlation is sufficient for the secret to be impossible to reconstruct from any single coding image. However, the coding images have the characteristics which reveal the mere fact that some information has been hidden.
These fundamental works have been extended to graylevel and also color images in a number of ways (see [5,18,25] and the literature therein). To name some recent works, let us refer to [6,8] where images of good quality were effectively obtained with the CMY and RGB color models. The use of numerical post-processing to restore the original secret image quality from the shares, which goes beyond the decoding with the bare human eye, was described in [15].
Recently, a concept of coding the images with shares that have some properties of randomness has been proposed in [23]. It was an extension of the concept of Naor and Shamir made in such a way that in the case of black-and-white two-level images the shares have a truly random structure, as demonstrated in [24]. In the case of color images, this method made it possible only to provide for the randomness of color components in the shares, but not the true randomness of shares as whole images, as shown in [22]. Further, a method was proposed in [2] to improve the visual appearance of randomness of the coding images, but it was evident 1 3 that the resulting binary representations could not pass the randomness tests successfully.
In this paper, the original contributions are as follows. First, the method is presented to make the coding images as close to random as possible. This can be achieved with very little additional loss of quality of the reconstructed image, beyond that introduced by the coding itself. Second, the randomness is extensively tested with the NIST Statistical Tests Suite [1], with a partial success. To the best of our knowledge, in the literature there are no mentions on performing such tests for the shares in visual cryptography. Third, a relatively simple method of improving the quality of the decoded image by processing it numerically is presented. It improves the brightness and contrast of the decoded image. As a side effect, it reveals the degree to which the random processes present in the coding algorithm distort this image, with respect to the dithered version of the original secret. Differently from the method proposed in [15], where the shares were processed numerically, in our method only the decoded image is processed in the reconstruction algorithm.
Distracting the attention of observers from the fact that secret information is transmitted increases the security of the transmission process. Randomness of the data stream goes in a similar direction as making it seemingly contain unimportant information, as in the case of visual cryptography where the shares appear to contain some irrelevant images [19,27], or in the coding of audio signals which mimic the sounds emitted by animals [28].
The remaining part of this paper is organized as follows. In the next section, the general methodology used in visual cryptography is recapitulated. The coding of binary images, with the classic as well as the random method, is described in Sect. 2.1. The transformation of a color image into an image containing only the black, red, green and blue pixels, in which binary coding is possible, is presented in Sect. 2.2. The method of mixing the pixels which improves the visual appearance of the images is reminded in Sect. 2.3. Two methods of improving the randomness of the shares are presented in Sect. 4. The algorithms are illustrated with one artificial and one realistic example in Sects. 3 and 5. The results of testing the randomness of the shares are presented in Sect. 6. Section 7 contains some remarks on problems related to the quality of decoded images and the possibility of improving it by simple numerical processing of the decoded image and finally to the significance of color in visual cryptography. In Sect. 8, the paper is concluded.

The coding method
Let us very shortly remind the basic notions and methods used in purely visual cryptography. Broader descriptions can be found in [2,[22][23][24], with [22] being the most complete description.
The encoded image is called the secret. For the beginning, let us consider a two-level, black-and-white image. The secret is encoded in two images called the shares. The shares are printed on a transparent medium. The decoding consists in precisely overlaying the shares on each other, which makes the secret visible to a naked human eye.

Coding a two-level image
A single pixel in the secret is represented with a square of n×n pixels, called the tile, in each share. Let us assume n = 2 . There are 16 different possible tiles shown in Fig. 1.
In the classic coding [20,21], in one share, called the basic share, the tile corresponding to each pixel of the secret is represented with one of the tiles 4, 6, 7, 10, 11, 13, chosen at random. The coding is done as follows. If the pixel in the secret is black, then in the other share, called the coding share, the negated tile is set. (For tile 7, this would be tile 10.) When the shares are overlaid, the tile corresponding to this pixel appears black. If the pixel in the secret is white, then in the coding share the same tile as in the basic share is taken. Then, after superposition, this tile is half-white. The contrast of the decoded image is half of that of the secret, but the pattern can still be easily seen.
This method was extended in [23] so that the shares became truly random, by that the basic share is drawn at random from among all the 16 possible tiles. This causes differences with respect to the classic decoding. The white pixels can become not only 1/2 white, like in the classic method, but also 1/4 or 3/4 white (there are no errors in black pixels). The presence of such errors, analyzed in [24], is the cost of the true randomness of the shares.

Dithering a color image into two levels
To code a gray-level image, it can be dithered into the black-and-white one. Similarly, the color image can be dithered into the one containing only black, red, green and blue pixels. Assume that an image is represented with a set of color columns, circularly R, G and B. Let us now represent each pixel in the secret with a 3×3 segment. In Using the square segments is a matter of convenience, so the dimensions of the segment are 3 × 3 . This makes it possible to represent four brightnesses of each color: 0, 1/3, 2/3 and 3/3, by setting 0, 1, 2 or 3 pixels to color in a column. Three four-level colors form a 64-color palette, in which the secret can be dithered.
In the resulting image, the pixel can be either black or full color: red, green or blue. Such an image can be coded, with either the classic or random coding, as described above. Each pixel of the secret is first replaced with a 3×3 segment, and then, each pixel of this segment is replaced by a 2×2 tile. Hence, a pixel is expanded into 3 2 ×2 2 = 36 pixels.

Mixing
The structure of the segment shown in Fig. 2 implies that the R, G and B pixels in the shares and in the decoded image are organized in columns. If the coding is random, their values are random, but their locations remain fixed to color columns [22]. Later it was proposed in [2] to mix the pixels, in two ways: by the 4×4 tiles and by pixels, where all the 36 pixels within each segment are mixed without observing the tile structure. Here, we shall use only the mixing by pixels, because the resulting decoded images have a better visual appearance [2]. In this paper, only mixing the randomly coded images is shown; however, the same can be done also for classic coding.
From the method of coding with tiles of Fig. 1, it follows that in each share, there is one black pixel per one color pixel; hence, the number of black pixels equals the sum of numbers of color pixels. This holds strictly in classic coding and in the sense of the average in random coding. Therefore, such an image structure is far from being random.

Test example
A simple test image (used also in [2,22]) and its coding with the described methods are shown in Fig. 3.It contains squares in basic and complementary colors, and four shades of gray, which happen to be accurately represented in the palette used. Pixels are replaced by 3×3 segments, with proper pixels set on, which forms the decomposed image in Fig. 3b. The result of decoding from the classical coding is shown in Fig. 3c and from the random coding in d. The mixing makes this image lose the striped texture (Fig. 3e). One of the two shares for images d and e is shown in Fig. 3g, h. (Images i and j will be referred to later on.) Some of the stages of the coding and decoding process reduce the quality of the images. The first reason for quality loss is the dithering into the 64-color palette. The second reason is the decomposition of the dithered image into the two-level image. In the white pixel of the secret, all the pixels of the corresponding segment are on, while in the red (green, blue) pixel only the pixels in the red (green, blue) column are on. Inevitably, in this representation the image is darker than the original. The coding by decomposing into tiles (image c) further reduces brightness and contrast, which is typical in the majority of purely visual cryptographic methods. The random coding (d) additionally introduces its specific errors. The mixing (e) removes the column-wise structure of the image which improves its evenness, but amplifies the granularity of texture.

Improving the randomness
As written before, half of the pixels in a share are black, and the remaining ones are R, G and B. Note that before the mixing is performed, in each column the pixels are coded with tiles ( Fig. 1) which are half-black and half-color, according to the color of the given column. Consider the segment 6 × 6 . From 36 pixels, 18 are black, and the remaining 18 are: 6 R, 6 G and 6 B. To make the numbers of pixels in the colors equal, 3 black pixels should be turned to red, 3 to green and 3 to blue. Then, in the segment there would be 9 black, 9 red, 9 green and 9 blue pixels. In the whole image, 3 36 = 1 12 of black pixels should be modified by changing to red, 1 12 to green, etc. Generally, the black pixels to be changed should be drawn at random, without any reference to the contents of the secret image, which should ensure the randomness of the shares.
Free method The totally random method of modifying the black pixels into color ones consists in changing the proper numbers of black pixels totally at random, separately in each share. Locations of pixels to be modified as well as their colors are drawn at random. In the decoding, therefore, some black pixels turn into color if their colors occur equal (rare case), black if one of the pixels remained black and black if pixels are in different colors. (Two different ideal filters in different basic colors overlaid give black or very dark in nonideal case.) In this way, the decoding errors, additional to Fig. 2 Variants of a 3×3 pixel segment which encodes a single color pixel (in this case, white, gray or black). a Full brightness-white pixel; b brightness 2/3-bright gray; c brightness 1/3-dark gray; d brightness 0-black pixel. Image used in [2,22] those resulting from the random coding by the tiles, appear in the decoded image. As it will be shown in the examples in the next section, these errors, although visible, do not make it impossible to recognize the shapes and colors in the decoded images. Adding the equal number of randomly displaced R, G and B pixels corresponds to adding some whiteness to the image, so this decreases the contrast of the result. This method will be denoted as free or F. The result is illustrated in Fig. 3f, i.
Intermediate method Optimally, adding color pixels to the shares should not introduce any changes in the decoded image. In cases when the given pixel is black in both shares, then in only one share this pixel is changed into a random color. However, from the coding algorithm it follows that the overlapping black pixels appear more frequently in brighter regions of the secret. Modifying only these pixels and leaving the remaining ones untouched would reveal the shade of the secret in the share. Therefore, the changes should be made also in the pixels where a black pixel in one share overlaps a color pixel in the other share. In such a case, the black pixel can be changed to a random color, but different from the color of the corresponding pixel in the other share. Pixels in which there is a same color in both shares cannot be changed. This method will be denoted as intermediate or I. This procedure can be performed globally (global intermediate method): A pixel is drawn from the image at random, and if at least in one share the pixel is black, the modification is made; this is done until the proper number of black pixels are changed into each color. The resulting decoded image is strictly equal to that generated from the shares without modification (Fig. 3e). However, a problem appears: A shadow of the secret is visible in the shares, as shown in Fig. 4.
The reason for this is that the pixels are randomly drawn for changes, but the probability of meeting a double black or single black pixel in the shares is not independent of the contents of the image; hence, the density of changes actually made is far from constant throughout the image. Similar problems, related to contrast change in the image, where the CMY color space was used, were reported in [11] to have appeared in the earlier work of this author [12], cited in that paper, and were overcome in [11].
To correct this clear drawback of the global intermediate method, it is proposed to perform the changes locally, so that the number of color and black pixels is balanced in each 6×6 segment, in each share. Hence, the same is done as described in the intermediate method, but in each segment separately. Further, when we refer to the intermediate method, or I, without any qualifier, we always have in mind its local version.
Coordinated method Unfortunately, the mutual locations and colors of pixels do not always make it possible to perform all the necessary nine changes in two shares, in each segment. The number of missing changes in the test image is shown in Fig. 4c. Note that the largest numbers of missing changes are found in the brightest region of the image.
There is no other way than to complement these missing changes with the proper number of random changes, like in the free method. This introduces errors in the decoded f as (e), modified with free method; g one share of (d); h one share of (e); i one share of (f). The same or similar example of a secret image (a) was used in [2,22]. The sources of the images shown in this and the following images are available from [4] image, but their number is as small as possible, because these changes are made after all other possibilities are used. In practice, it was measured that the number of such error introducing changes is less than 2% of all changes made in a small (test100) and less than 0.5% in a large one (peppers). It must be stated that in some tiles it happens that there are no black pixels left to be changed; such cases constitute less than 0.1% in small images and less than 0.01% in large ones, so we shall consider this problem as negligible.
The described local intermediate method corrected with the addition of free elements will be called the coordinated method or C, due to that the changes are coordinated between the shares in one segment.

Example of a natural image
The image parrots from [9] was chosen due to its bright and varied colors. Its size was reduced by resampling, to show better the coded images which have an increased resolution (Fig. 5). In this example, not only the color evenness, but also the preservation of details can be assessed. Despite the losses of quality, in the image decoded from random shares the objects can be recognized and the colors can still be noticed. The additional errors introduced by the coordinated method, the most frequent in the bright regions of the image, do not reduce its quality significantly; rather, they tend to slightly improve its contrast.

Testing the randomness
In several places, in this paper we used the term true randomness. When doing this, we have implicitly made a simplifying assumption that "the sequence which possesses all the properties that a truly random sequence would have" can be considered as "sufficiently random." The cited statement comes from the abstract of [14]. The author of this phrase extends this line of thought by stating that a satisfactory testing "would require an infinite number of tests." By referring to an infinite number of tests these considerations become more philosophical than technically orientated. Although far from infinite, the sets of tests have been designed. Among these, the TestU01 library [17] and the NIST Statistical Tests Suite [1] are easily accessible and frequently used by cryptographers ( [17]: over 1000 citations; [1]: over 2800 citations [10]). The NIST Suite is more recent and seems to be easier to use. Therefore, we have chosen it as a practical solution to the question of how to check whether the data we generate can be considered as random or not.
While being aware of that the true randomness is generally a difficult and still open problem, we have treated the use of the NIST Suite as a means to classify the sequences of bits generated by our methods as only apparently unordered but definitely not random or possible to be considered as random. Seeking to apply an infinite number of tests would not make us closer to the answer to our basic question: yes or not. So, if there are no indications to treat a sequence as not random, we shall consider it not only looking as random, but truly random, all the time in a limited, engineering sense.
For the tests, a pixel was expressed as two bits: 00 for black, 01 for red, 10 for green and 11 for blue. This arbitrary assignment was believed not to influence the result. Pixels were saved in two separate files: by rows and by columns. Both shares were tested. Therefore, for each image there were four data files. Besides the above mentioned two images, a number of well known benchmark images were blue, dark green, green, dark red, red). d Share from coordinated method; e decoded image from coordinated method: some errors visible; f decoded from random method with mixing (Fig. 3e), for comparison (color figure online) used: baboon, peppers and Lena (to be found in the sources cited in the historical web site [13]).
Default values of the parameters of the NIST software were used; in particular, = 0.01 . Results for the tests which have subtests (CumulativeSums, NonO-verlappingTemplate, RandomExcursions, RandomExcursionsVariant) were shown together, so finally 188 tests with their subtests were treated as just 15 tests.
To make it possible to capture the state of the randomness for one image as a whole, it has been attempted to show the results for 100 random realizations of coding, two directions and two shares, in one page. This conforms with the concept of small multiples introduced by Tufte [26], which advices to present all the relevant data together, so that they can be perceived simultaneously.
The results are presented in the form of histograms of p-values (Figs. 7, 8). Further we shall refer to the p-values as simply p. The width of the bins is ∕4 . The counts for the test failures, p ≤ , denoted in the key of the graphs with a graphical symbol as low, are shown in shades of red. The histogram values for the success of the tests, denoted as good, are shown in the shades of gray. Separately, to the right of the range of p, the number of cases for which the preconditions for the tests were not met is shown with the shades of blue and denoted with a question mark meaning not applicable. This can happen for tests: RandomExcursions, RandomExcursionsVariant and Universal, for which the NIST Tests Suite can issue warnings. The data for the basic shares, denoted as share 1, are shown with full symbols and for the coding shares as share 2, with empty symbols. The data for reading the pixels by columns, vertically, are shown with bars and by rows, horizontally, with circles.
To show clearly the important data for p ≤ which indicate the failures of the tests, a nonlinear axis for p is used. The transformation is p → p a , with a such that the point 0.01 takes the place of the former point 0.1.
Let us start with the results of analysis for image Text-Black shown in Fig. 6 used in [24] to illustrate the basic random algorithm for two-level images, introduced in [23]. The image and the result of decoding are shown together.
The graphs of p-values shown in Fig. 7 show that the basic random version of the coding is truly random.
For all the tests, the majority of realizations passed successfully. The tests that failed are in minority, and their frequencies conform to the generally flat distribution of p-values. The cases which did not meet the initial conditions of some tests are also rare.
The results for the image parrots (shown in Fig. 5a), coded with the coordinated method, are shown in Fig. 8.
The same results for this one and other images are shown in an abstracted form in Table 1, where for each test only the numbers of low, good and not applicable results are given. This hides the distribution of p-values but makes it possible to present the results for many images condensed in a limited space. The histograms themselves can be found by the interested reader in supplementary material [3].
In three images, the numbers of black pixels were reduced with three methods: free, intermediate and coordinated. Results from the coordinated method are generally worse than those of the free method. This indicates that the changes in the shares restricted to operating on each segment separately, although giving visually better results, are strongly less random than making the changes freely. The free method, however, has an important drawback of reducing the contrast of the decoded image, shown in images of Figs. 4f and 5e. It does not guarantee the randomness in all the cases (baboon: ApproximateEntropy, parrots: Runs, LongestRun, ApproximateEntropy, Serial). The local intermediate method gave less random results than the coordinated one, especially for the tests Frequency and CumulativeSums. Therefore, we discontinued testing this method, in spite of that this method yields the decoded images free from additional errors. We did not show the results for the global intermediate method, which is unacceptable due to information leaks, but unexpectedly, it generally has a better randomness. (Some detailed results are available in supplementary material [3].) The tests which can be considered as confirming the randomness of the color shares are Frequency, Block-Frequency, CumulativeSums, Rank, Rando-mExcursions, RandomExcursionsVariant and LinearComplexity.
The tests which always or nearly always reject the randomness are Runs, LongestRun, OverlappingTemplates and ApproximateEntropy.
It can be also noted that the preconditions for Rando-mExcursions and RandomExcursionsVariant were not met over twice more frequently for images read horizontally than for those read vertically (Fig. 8), which is an indication of directionality, present in the expectedly isotropic objects.
Finally, it should be stated that the search for true randomness, successful for the black-and-white images, is still an unreachable target for the color ones.

Hiding the pixels and the quality of decoded images
The vital advantage of the visual cryptography methods is the possibility to decrypt the secret image from the shares with the bare eye only, without any equipment. In this process, the ability of the human eye to see the objects even if they are distorted due to noise or errors is important. This ability was helpful in reading the decoded images, as the errors are inevitably inherited in the random methods used. Besides these errors, the visual cryptography methods heavily rely on the process of hiding some pixels in one share by other pixels in another share. In this way, only (or nearly only) those pixels are exposed to the human observer which are necessary to form the useful image, while all (or nearly all) the remaining ones are hidden. Hiding the pixels which are not intended to be seen plays the fundamental role in the decoding process. Therefore, it seems not possible to get rid of the reduction in the brightness and of other negative results of the hiding process, as far as the RGB color space is used.
(We have not explored the application of the CMY space in which the colors arise in the process of overlapping the shares.)

Reconstruction of the decoded image with numerical processing
The possibility of numerical processing of the reconstructed secret (independently of the decoding with a bare eye) opens new possibilities. This is somewhat remote from our main domain of interest, which is the encryption itself, but let us explore this path of reasoning to some extent. Let us remind that in the dithering process, the following four intensities are assigned to the R, G and B components: 0, 1/3, 2/3, 1. If there are no errors, these intensities are reflected by the presence of 0, 2, 4, 6 pixels in R, G and B, respectively. So, the numbers of pixels in the range [0, 6] can be projected into the range of color intensities [0, 255]. The odd numbers of pixels are errors, but when only the reconstructed secret is available (or shares), the information on the nature of errors is lost. Therefore, the odd values can be assigned to the nearest even value up or down, at random, or simply left unchanged-this second approach was used here. In this way, the decoded image can be restored back to the state close to that of the image dithered into the 64-color palette. In the case of the test image of Fig. 3a, the dithering introduces no distortion at all. (Loss of quality visible in Fig. 3b is due to decomposition into color stripes.) The result of restoration for this image and that for the image of Fig. 5, in comparison with the dithered images, are shown in Fig. 9.
The reconstructed images reveal in a visual way what is the level of errors introduced at the stages of the coding process. These errors result from using the random coding with all the tiles of Fig. 1 and of balancing the colors in the shares in the coordinated method. It can be seen that besides the presence of the errors, a considerable part of information is maintained.
It can be postulated that the raw decoded image is what can be used in the field conditions, while in the laboratory conditions the image can be further processed to receive the reconstructed image.

Why color?
Finally, let us consider the question of color in visual cryptography, having in mind that some loss of quality is unavoidable, and hence, the color information is attenuated. It is not necessary to explain that color is a very important feature used by the visual system of humans. It simply follows from our everyday experience. When poor light conditions make the color part of our visual system (photopic vision) switch off, we feel an important decrease in our visual abilities, although our gray-level vision (scotopic vision) works properly with dim light. Furthermore, to justify the existence of research on color visual cryptography it is not enough to state that such research is actually being carried out, which can be deducted from the large number of publications emerging each year.
One of the examples of visual cryptography for images which are only black-and-white is the coding of images with text. This example is used throughout the literature, for example in [7]. (We went the same way in some of our previous papers.) After decoding, the text can be read with smaller or greater ease. The loss of quality inherent in the methods makes it doubtful whether the color images can be effectively used after decoding. This doubt results mainly from that the color images are considered as suitable for displaying complex objects, while in simple shaped objects color is of secondary importance. Considering the image of parrots used throughout this paper seems to be of little practical importance, as in the decoded image the major part of the natural beauty and richness of this image is lost.
However, color is widely used and is very important also in simple images, which can be recognized easily. Let us consider the flags of countries, which are usually composed of very simple shapes. Even if some small graphical elements are present in them, it is rather the general shape and colors which make the flags recognizable. As an example of the significance of color, let us look at the selected flags shown in Fig. 10. Besides that the shapes are radically simple, without color information the significance of the flags would remain unknown.
The images to be coded can even be well known to the reader beforehand, like in the case of the emergency icons (Fig. 11a). They can be recognized at a glance, even in the low-quality decoded images, largely due to color information, which is chosen according to the meaning of the icon.
Hence, it seems reasonable that color visual cryptography can be applied, for example, in cases when some simple iconic information of high importance should be secretly and safely transmitted to a place where there are no technical resources available to decrypt it. Fig. 9 Illustration of reconstruction for a test and a natural image in comparison with the versions dithered in the 64-color palette used for color coding. a Image reconstructed from the image of Fig. 3e; b image of Fig. 3a dithered. c Image reconstructed from the image of Fig. 5f; d image of Fig. 5a dithered (color figure online)

Conclusions and perspective
The concept of visual coding with shares in which colors are coded in the completely random way was modified by locally mixing the contents of the shares and by equalizing the numbers of black, red, green and blue pixels in the shares. For this, a specified number of black pixels in the shares were changed into color ones. The developed method of modification did not reduce the quality of the decoded image significantly with respect to that of the previously known methods. The battery of 15 NIST randomness tests was applied to experimentally check the randomness of the shares for a set of one two-level image and five benchmark color images. From this battery, all the tests passed with a success for the randomly coded two-level image. For color images, seven tests passed with success, four failed nearly always, and the remaining four ones gave varied results. Therefore, the goal of hiding the process of information transfer in the purely visual color cryptography is far from being reached, although the presence of successes as well as failures indicate that some level of randomness has been attained.
It has been shown how the quality of the decoded images can be improved with simple numerical calculations made solely on the decoded image. There is no need to analyze the shares.
Further studies should be concentrated upon explaining the reasons for failures and on improving the coding algorithms to make more statistical randomness tests pass. It seems that one of the directions could be breaking the requirement of local balance between colors in the shares.