Post on 16-May-2023
Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012
ISSN 2067 – 4074
1
On the Security of Black-Box Implementation of Visual Secret Sharing Schemes
Adrian ATANASIU, Ruxandra OLIMID, Emil SIMION Faculty of Mathematics and Computer Science
University of Bucharest
ROMANIA
aadrian@gmail.com, ruxandra.olimid@fmi.unibuc.ro, esimion@fmi.unibuc.ro
Abstract: Cryptographic software and devices give users the ability to take advantage of the benefits of cryptography more easily. However, this implies that the users must totally trust the manufacturer and the authenticity of the device or software they use. Young and Yung were the first to question the correctness of the manufacturer and considered the advantage that a malicious implementation could offer to a specific attacker. In this paper, we consider a modified version of two visual secret sharing schemes and the advantage that they
provide to the attacker in order to reconstruct the secret by himself, while the other participants must fulfill the honest scheme reconstruction conditions. We also analyze the security of the proposed mechanisms and the conditions in which they can be applicable. Key-Words: SETUP, visual secret sharing, black-box
1. Introduction
Cryptographic devices are used widely
nowadays. They provide the owner the
ability to use cryptographic techniques
more easily, by using some pre-
manufactured devices or software.
However, this involves that the user
totally trusts the manufacturer. Young
and Yung [6] were the first to raise the
problem of the correctness of the
manufacturer and considered the case in
which the manufacturer modifies the
implementation in such a way that the
cryptographic device leaks some secret
information to an attacker. The
information is leaked subliminally and
gives no advantage to other parties
except the attacker, who can recover it
by using a trapdoor. The attack is called
SETUP (Secretly Embedded Trapdoor
with Universal Protection) [6].
Since the introduction of SETUP, attacks
have been developed for encryption
systems, signatures schemes or key
generation algorithms based on factoring
or modular exponentiation ([2], [3], [5],
[6], [7], [8]). We have recently
considered a basic SETUP attack in a
visual secret sharing scheme [1]. In this
paper, we extend this attack and
analyze its security and applicability
more deeply.
The preliminary notions are provided in
Section 2. This includes the notions of
black-box, SETUP mechanism and the
definition of the visual secret schemes
that will be considered through the rest
of the paper. Section 3 introduces the
SETUP in unanimous and (2,n)-threshold
Naor-Shamir visual secret sharing
schemes. In Section 4 we briefly analyze
the security and the applicability of the
proposed attacks. In Section 5, we
conclude.
2. Preliminaries
2.1. Black-Box
A user trusts a cryptographic device only
if it seems genuine. If the user observes
some strange behavior, then he will
change the device for a more trustable
one. So, a contaminated device should
be practically impossible to detect. From
the user perspective, this can be
achieved only if the cryptosystem is
implemented as a black-box.
Definition 1: A black-box cryptosystem
is an efficient probabilistic algorithm that
has readable and writable non-volatile
memory. In other words, it has access to
a fair coin and can store variables across
multiple invocations. Furthermore, the
algorithm and memory are not
www.jmeds.eu
2
externally accessible. Only the input and
the output of the cryptosystem are
accessible [9].
A black-box cryptosystem provides the
user only input and output access to the
hardware or software facility, without
any access to the internal design. So, if
the contaminated device maintains the
indistinguishability of the inputs and
outputs, its malicious behavior remains
hidden to the user.
2.2. SETUP Attack
When implemented as a black-box, the
cryptosystem can be designed to leak
some information, giving the attacker a
unique advantage. This is accomplished
by the SETUP (Secretly Embedded
Trapdoor with Universal Protection)
mechanism, introduced in [6]. The
internal modifications that permit the
implementation of the SETUP should
apparently not affect the input or output
of the cryptosystem. This way, the
cryptosystem seems conform to the
original one and the malicious
implementation is difficult to detect by
an honest user. Even if the honest user
detects an unusual behavior and gains
access to the non-volatile memory,
SETUP mechanism should be designed to
handle reverse engineering. This means
that the attacker maintains his
advantage over other users for all the
past (and ideally, future) runs of the
cryptosystem. More precisely:
Definition 2: A SETUP attack is an
algorithmic modification C’ of a
cryptosystem C with the following
properties:
1) Halting Correctness: C and C’ are
efficient algorithms. That means they
must halt in time polynomial in the
length of their inputs;
2) Output indistinguishability: the
outputs of C and C’ are indistinguishable
to all efficient probabilistic algorithms
except for the attacker;
3) Confidentiality of outputs of C: the
outputs of C are confidential to all
efficient probabilistic algorithms and do
not compromise the cryptosystem that C
implements;
4) Confidentiality of outputs of C’: the
outputs of C’ are confidential to all
efficient probabilistic algorithms and do
not compromise the cryptosystem that
C’ implements;
5) Ability to compromise C’: with
overwhelming probability, the attacker
can decrypt, forge, or otherwise
cryptanalyse at least one private output
of C’ given a sufficient number of public
outputs of C’. [9]
2.3. Visual Secret Sharing Schemes
A secret sharing scheme is a method to
split a secret into n shares, each share
being securely distributed to a
participant. The secret can be
reconstructed only when the participants
belonging to an authorized group
combine their shares together.
Definition 3: A secret sharing scheme
is perfect if it provides no information to
any unauthorized group of participants
(by putting their shares together).
Definition 4: A secret sharing scheme
is unanimous (or (n,n) secret sharing
scheme) if all n shares are needed in
order to reconstruct the secret (the only
authorized group of user is the set of all
users).
Definition 5: A secret sharing is (k,n)-
threshold scheme if any k or more
shares are enough to reconstruct the
secret.
Definition 6: A visual secret sharing
scheme (VSS) is a secret sharing
scheme for which the secret and the
components are images.
We will restrict our work to black and
white images. In this case, each image
(the secret and the shares) is considered
to be a matrix of pixels of 0s and 1s that
correspond by convention to white and
respectively black pixels.
Naor and Shamir are the first to
introduce a visual secret sharing scheme
Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012
ISSN 2067 – 4074
3
[4]. For the rest of the paper, we will
refer to Naor Shamir unanimous (n,n)
and (2,n)-threshold secret schemes.
2.3.1. Naor-Shamir unanimous VSS
Naor-Shamir unanimous (n,n) visual
secret sharing scheme was introduced in
[4]:
1) Computing shares
Consider },...,,{ 21 neeeW where n is
the number of participants and ie is the
n- element vector with 1 on i-th position
and 0 otherwise.
Let 1221 ,...,,n
be the even
cardinality subsets of W and let
1221 ,...,,n
be the odd cardinality
subsets of W (the order is not
important). Each list defines the
following 12 nn matrices
)( 00
ijSS
and )( 11
ijSS :
;2..1,..1,1 10 n
jiij jnieS
;2..1,..1,1 11 n
jiij jnieS
Consider = {all the matrices
obtained by permuting the columns of 0S and = {all the matrices obtained
by permuting the columns of 1S }.
To each pixel in the initial image will
correspond 12 n pixels in each share:
if the pixel is white, an element
from is randomly chosen. The
corresponding pixels in ishare
are given by irow of the selected
matrix;
if the pixel is black, an element
from is randomly chosen. The
corresponding pixels in ishare
are given by irow of the selected
matrix.
2) Reconstruction of the secret image
All shares are OR-ed pixel by pixel.
Then, the 12 n pixel groups are
transformed in a black pixel, if the
number of the 1st is greater than a
given threshold, or white, otherwise. The
reconstructed image becomes identical
to the original one.
Theorem 1: The previous scheme is a
unanimous scheme with n participants,
where: 12 nk is the number of pixels
in each share that correspond to a pixel
in the secret; 12/1 n is the contrast
parameter; !2 1 nr is the cardinal of
and .
Theorem 2: Naor-Shamir unanimous
visual secret sharing scheme is perfect.
For more information and the
demonstration of Theorems 1 and 2, see
[4].
Example 1: Unanimous secret sharing
scheme for 2n participants.
Let the 2 participants be },{ 21 PP.
},{ 21 eeW , where
)0,1(1 e and
)1,0(2 e . The subsets of even
cardinality of W are 2211 },,{ ee
. The subsets of odd cardinality of W
are }{ 11 e
,}{ 22 e.
0S and 1S
become:
10
01;
01
0110 SS
is the collection obtained by all
permutations of columns of 0S and
is the collection obtained by all
permutation of columns of 1S . A matrix
from is used for sharing a white pixel
and a matrix from is used for sharing
a black pixel. All possible
representations of a pixel are shown in
Figure 1.
0C
1C
0C
1C
0C 1C
0C
1C
0C
1C
www.jmeds.eu
4
White
pixel
First share
Second share
Result
Black
pixel
First share
Second share
Result
Figure 1. Possible shares for one pixel in Naor-Shamir unanimous scheme with 2
participants
It is easy to observe that by combining
any 2 shares corresponding to a white
pixel, a white and a black pixel are
obtained, while by combining any 2
shares corresponding to a black pixel,
both obtained pixels are black. So the
contrast parameter is 2/1 .
2.3.2. Naor-Shamir (2,n)-threshold VSS
Naor-Shamir (2,n)-threshold visual
secret sharing scheme is defined as [4]:
1) Computing shares
Let 0S and
1S be nn matrices defined
by:
0...01
............
0...01
0...01
0S
1...00
............
0...10
0...01
0S
Consider = {all the matrices
obtained by permuting the columns of 0S and = {all the matrices obtained
by permuting the columns of 1S }.
To each pixel in the initial image will
correspond n pixels in each share:
if the pixel is white, an element
from is randomly chosen. The
corresponding pixels in ishare
are given by irow of the selected
matrix;
if the pixel is black, an element
from is randomly chosen. The
corresponding pixels in ishare
are given by irow of the selected
matrix.
2) Reconstruction of the secret image
All shares are OR-ed pixel by pixel.
Then, the n pixel groups correspond to a
black pixel, if the number of the 1st is
greater or equal to 2, or to white,
otherwise.
Example 2: Naor Shamir (2,n)-
threshold VSS.
Figures 2 and 3 show all possible shares
for a white pixel and some possible
shares for a black pixel in Naor-Shamir
(2,3)-threshold VSS. It is easy to see
that the contrast of the reconstructed
image gets higher when the number of
participants that cooperate increases,
3. SETUP attack
Consider the following assumptions:
1) The sharing mechanism is
implemented as a black-box that can
store information across multiple
invocations of the sharing algorithm in a
non-volatile memory;
2) The distribution of shares is perfectly
secure, i.e. a participant or an attacker
cannot eavesdrop the share of another
participant;
3) The attacker is always one of the
participants ( 1P by convention, as the
order of participants is not important);
4) More secret images will be shared. In
case of sharing only one secret image,
the attack does not work;
5) All shared images must have the
same dimensions.
0C
1C
0C
1C
Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012
ISSN 2067 – 4074
5
The main goal of the SETUP attack is to
permit the attacker (participant 1P ) to
learn the secret image by using only his
(actual and pasts) shares, in contrast to
any other participant, who needs to
fulfill the honest scheme reconstruction
conditions in order to achieve this.
Participants should not know that the
attack is taking place and should be
robust to reverse engineering.
A trivial attack could be initially
considered: in the distribution phase,
the attacker (participant 1P ) receives
the secret image instead of a valid
share. This would clearly give the
attacker all the secret information.
The honest participants will not be able
to determine the dishonest behavior in
the case of a timeout (i.e. the shares are
not
White
pixel
First share
Second
share
Result
Black pixel
First share
Second share
Result
Figure 2. Possible shares for one pixel in
Naor-Shamir (2,3) scheme when 2 participants cooperate
White pixel
First share
Second share
Third
share
Result
Black pixel
First share
Second share
Third
share
Result
Figure 3. Possible shares for one pixel in
Naor-Shamir (2,3) scheme when 3 participants cooperate
used to reconstruct the secret within a
proper time and new shares – maybe
corresponding to a new secret – are
generated and distributed). However, in
case of reconstruction, participant 1P will
not be able to provide a valid share. So,
if the reconstruction phase is performed
by an honest entity, this trivial SETUP
attack will be revealed.
It could seem that the problem can be
solved if the attacker receives a valid
share besides the secret image. But this
makes the implementation susceptible to
traffic monitoring because the amount of
information sent to this particular
participant increases significantly.
For the rest of the paper, let nPPP ,...,, 21
be the participants. By convention, 1P is
considered the attacker.
Let mSSS ,...,, 21 be the secret images
that will be shared between the
participants and i
n
ii CCC ,...,, 21 the shares
(components) corresponding to the
secret 1S .
The idea of the attack is briefly
explained next. The first secret 1S is
honestly shared using Naor-Shamir
method (subsections 2.3.1 and 2.3.2)
into 11
2
1
1 ,...,, nCCC. Each share
1
jC is
securely transmitted to participant jP .
Component 1
1C is saved into the non-
volatile memory of the black-box sharing
device.
In the first round, the attacker has no
advantage and cannot compute the
secret 1S .
The second secret 2S is shared into 22
2
2
1 ,...,, nCCC by using a modified
dishonest method. This computes 2
1C in
www.jmeds.eu
6
such a way that keeping only the 1
1C
pixels corresponding to 1s in 2
1C the
secret will be revealed. All the other
shares 22
3
2
2 ,...,, nCCC are composed
corresponding to Naor-Shamir scheme,
secret 2S and the first component 2
1C .
Participant 1P receives an apparently
valid share. However, this gives him the
opportunity to compute the secret
without any help of the other
participants, but only knowing his actual
and previous share.
The process repeats for any secret iS by
dishonestly computing the share iC1
based on the previous 1
1
iC. The old
value 1
1
iC is replaced into memory by
iC1 which will be used for the next
round. Participant 1P is able to compute
the secret by himself, using the 2 shares1
1
iC and
iC1 .
3.1. SETUP Attack in Naor-Shamir Unanimous VSS
A SETUP version of the unanimous Naor-
Shamir VSS could be stated as follows:
Input: mSSS ,...,, 21 the secrets to be
share and n the number of participants;
Output: i
n
ii CCC ,...,, 21 , the shares
corresponding to the secret iS , at each
round i
1: if 1i then
2: compute shares 11
2
1
1 ,...,, nCCC using
the honest Naor-Shamir scheme
3: save 1
1C into non-volatile memory
4: else
5: for each pixel ][lS i of the secret iS
do
6: if the pixel is white )0][( lSi
then
7: for 1)1( klj to lk
( i.e. all the k pixels in 1
iC
corresponding to the original pixel ][lS i )
do
8: )2(mod1][][ 1
11 jCjC ii
9: end for
10: elsif the pixel is black
)1][( lSi then
11: for 1)1( klj to lk ( i.e.
all the k pixels in 1
iC corresponding to
the original pixel ][lS i ) do
12: ][][ 1
11 jCjC ii
13: end for
14: end if
15: choose M from 1C so that
the first row equals
][]...1)1[( 11 lkCklC ii
16: for j = 2 to n do
17: j
i
j rowC of M
18: end for
19: replace 1
1iC by 1
iC in non-volatile
memory
20: end for
21: end if
The selection of M is always possible,
because it’s first row either corresponds
to a valid share, or to its negation, which
also represent a valid share.
As a remark, the algorithm maintains
the possibility of parallel
implementation: all pixels of the secret
image can be processed in parallel.
1P (the attacker) will be able to
reconstruct the secret image 1, iSi at
a given round by using the following
algorithm:
Input: iC1 , the share distributed to
participant 1P and n , the number of
participants
Output: 1, iSi the secret image
1: for each ][lS i pixel of the secret iS
do
Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012
ISSN 2067 – 4074
7
2: 1)1( klj
3: while 0][1 jC i
do
4: 1 jj
5: end while
6: ][][
1
1 jClSi
i
7: end for
8: replace 1
1
iC by
iC1 in memory
Example 3: SETUP in (2,2) Naor-
Shamir VSS.
Let us consider the Naor-Shamir
unanimous Visual Secret Scheme with 2
participants and the secret images 1S
and 2S from Figure 4.
Secret P1 P2
S1 C11 C2
1
S2
C12 C2
2
Figure 4. SETUP Attack example
From the SETUP algorithm, 1S is
honestly split (as being the first round),
by using Naor-Shamir visual secret
sharing scheme (subsection 2.2). 1
1C
and 2
1C represent a pair of possible
shares. 1
1C is saved into memory.
The second image is processed, pixel by
pixel (step 5 of the SETUP algorithm).
As the first pixel of 2S is black (step
10), the first 2 pixels in 2
1C are the
same as the first 2 pixels of 1
1C (steps
11-13).
M is chosen from 1C in such a way
that it’s first row would be (1 0):
10
01M
This means that the first 2 pixels of
share 2
2C are white and respectively
black.
For the second pixel of the secret image,
which is also black, the sharing is
performed in the same way.
The third pixel of the secret image 2S is
white, so the algorithm will follow steps
7-9. The corresponding pixels in the first
share are different from the ones in the
previous first share (white becomes
black and black becomes white).
The matrix M is chosen from 0C such
that the first row is (1 0):
01
01M
meaning that the pixels in the second
component are black and white.
The last pixel of the secret is processed
in a similar way, the matrix M being:
10
10M
The attacker (participant 1P ) is able to
reconstruct the second secret image 2S
without the help of the other participant.
In order to do this, he will consider the
colors from the previous share (1
1C ) that
correspond to black in the actual share (2
1C ).
3.2. SETUP Attack in Naor-Shamir (2,n)-threshold VSS
A SETUP version of the unanimous Naor-
Shamir VSS could be stated as follows:
Input: mSSS ,...,, 21 the secrets to be
share and n the number of participants;
Output: i
n
ii CCC ,...,, 21 , the shares
corresponding to the secret iS , at each
round i
1: if 1i then
2: compute shares 11
2
1
1 ,...,, nCCC using
the honest Naor-Shamir scheme
3: save 1
1C into non-volatile memory
4: else
5: for each pixel ][lS i of the secret iS
do
www.jmeds.eu
8
6: if the pixel is white )0][( lSi
then
7: choose random
],1)1[( nlnlr so that
0][11 rC i
8: set 1][1 rC i
9: for1)1( nlj
to nl with rj
( i.e. all the n pixels in 1
iC
corresponding to the original pixel ][lS i ,
except the r-th pixel) do
10: 0][1 jC i
11: end for
12: elsif the pixel is black
)1][( lSi then
13: be],1)1[( nlnlr so that
1][11 rC i
14: set 1][1 rC i
15: for1)1( nlj
to nl with rj
( i.e. all the n pixels in 1
iC
corresponding to the original pixel ][lS i ,
except the r-th pixel) do
16: 0][1 jC i
17: end for
18: end if
19: choose M from 0C so that the
first row equals ][]...1)1[( 11 nlCnlC ii
20: for j = 2 to n do
21: j
i
j rowC of M
22: end for
23: replace 1
1iC by 1
iC in non-volatile
memory
24: end for
25: end if
Intuitively, the color of the pixel in a
secret image is the same as the color of
the pixel in the previous share that is
placed in the same position as the black
pixel in the current share.
The selection of M is always possible,
because it’s first row always corresponds
to a valid share.
1P (the attacker) will be able to
reconstruct the secret image 1, iSi at
a given round by using the following
algorithm:
Input: iC1 , the share distributed to
participant 1P and n , the number of
participants
Output: 1, iSi the secret image
1: for each ][lS i pixel of the secret iS
do
2: 1)1( nlj
3: while 0][1 jC i
do
4: 1 jj
5: end while
6: ][][
1
1 jClSi
i
7: end for
8: replace 1
1
iC by
iC1 in memory
Secret S1 S2
P1 C11 C1
2
P2 C21 C2
2
P3 C31 C3
2
Figure 5. SETUP Attack example
Example 4: SETUP in (2,3) Naor-
Shamir VSS.
Let us consider the Naor-Shamir (2,3)-
threshold VSS and the secret images 1S
and 2S from Figure 5. A possible set of
shares that correspond to the modified
SETUP version is given.
4. Security
Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012
ISSN 2067 – 4074
9
The section analyzes the main security
aspects of the presented SETUP attack
and the conditions that must be met in
order to be applicable.
4.1. Scheme security for an honest participant or a regular attacker
In the worst-case scenario under the
taken assumptions, an honest
participant can know all the past secrets,
all the past used shares of any
participant and all his shares (including
the current one).
In case of unanimous Naor-Shamir VSS,
due to the fact that it is a perfect
scheme, we can also assume that the
participant also knows the actual shares
of all participants, except 1P .
All this should provide him no
information about the actual secret
image. This is achieved because identical
values can lead to different colors of the
actual secret.
Let us consider the unanimous Naor-
Shamir VSS with 2 participants. Figure 6
shows that a white secret pixel followed
either a black or a white secret pixel (or
similarly, a black pixel secret followed by
either a white or a black secret pixel)
can offer to participant 2P identical
information. This way, participant 2P is
revealed no information about the actual
secret image 2S .
The only way participant 2P is able to
reconstruct the secret is by knowing the
component of 1P . For only 2
participants, this lead to the usual
reconstruction phase.
Secret S1 S2 Secret S1 S2
P1 C11 C1
2 P1 C11 C1
2
P2
C21 C2
2 P2 C21 C2
2
Secret S1 S2 Secret S1 S2
P1 C11 C1
2 P1 C11 C1
2
P2
C21 C2
2 P2 C21 C2
2
Figure 6. SETUP Attack provides advantage
only to the attacker
In case n > 2, under the assumption
that the participant realize the existence
of the modified SETUP version, he needs
the share of the attacker P1, which
cannot find unless 1P agrees to hand
over. As a remark, when a SETUP attack
is revealed, any group of users
containing 1P will gain access to the
secret.
A similar result is true for the (2,n)-
threshold Naor-Shamir VSS. For the
current round, we can only consider that
a participant knows his own share (2
shares would be enough to reconstruct
the secret). Without losing generality,
we will consider the case of participant
2P . Figure 7 shows such an example (for
a given S1, all the shares corresponding
to it and the share of P2 corresponding
to S2 are the same, regardless the color
of S2).
A regular attacker, different from 1P or
other honest participant can now
nothing about the secret components
under the assumption that the shares
distribution is perfectly secure, so the
scheme remains secure for outsiders.
4.2. Output Indistinguishability
The SETUP version should be
indistinguishable from the original one
by all efficient probabilistic algorithms
except for the attacker. If it were easily
identifiable, then the users would
change the device to a more trustable
one.
If the reconstruction is done by a
trustable entity which verifies the usage
www.jmeds.eu
10
of SETUP contaminated system, and
fully knows what participant a share
belonged to, the SETUP attack presented
in subsections 3.1 and 3.2 do not fulfill
this property. This is because, at each
reconstruction, the entity could store all
the shares and the corresponding.
S1 S2 S1 S2
P1 C11 C1
2 P1 C11 C1
2
P2
C21 C2
2 P2 C21 C2
2
P3
C31 C3
2 P3 C31 C3
2
S1 S2 S1 S2
P1 C11 C1
2 P1 C11 C1
2
P2
C2 C22 P2 C2
1 C22
P3
C31 C3
2 P3 C31 C3
2
Figure 7. SETUP Attack provides advantage
only to the attacker
secret. When new shares are received,
after the reconstruction of the new
secret image, the entity possesses all
the information of the attacker: the
successive components and the
corresponding secrets
The entity performs the SETUP
reconstruction algorithm for each
participant. If the obtained secret equals
the second reconstructed secret image,
than the participant is susceptible of
being the attacker.
This vulnerability can be easily avoided
by replacing the previous share in SETUP
by a timeout share not used before.
A timeout share is a share that belongs
to a round in which the secret has not
been reconstructed in a proper amount
of time and by security reasons, the
shares were refreshed. In this case, the
share can be no longer known by the
entity that performs the reconstruction,
and the SETUP becomes
indistinguishable.
The reverse is that the number of times
the attacker can compute the secret
image depends on the number of
timeout shares, possible decreasing the
success rate. This is because if a timeout
share is twice used, it provides
information that can lead to attack
revealing. However, this is not a real
problem, since the attacker 1P is able to
create timeout shares when needed, by
not participating to the reconstruction.
However, the attacker may not avoid
reconstruction as many times as it
needs, because he could be suspected of
a strange behavior and eventually
discovered.
4.3. Confidentiality through reverse engineering
In the black-box non-volatile memory it
is kept the last share of the attacker or,
in case of the improvement from the
previous subsection, some timeout
shares. They could be accessed by
reverse engineering. However, this leaks
no information about the past or future
secret shared images, as
it results from Section 4.1.
The SETUP algorithm can be thought as
a one-time pad NOT XOR-ing of the
secret with the previous share, resulting
the second share. By reverse
engineering, it will be provided access to
only one of the 3 values, which makes it
impossible to reveal the secret.
4.4. Applicability of the proposed attack
As we have already mentioned, there
are some requirements that must be
accomplished in order for the attacks to
be feasible. Some of them are normal
assumptions: splitting more than one
secret, consider the attacker as one of
the participants, etc. However, there are
some other assumptions that could not
be normally met in practice. Such an
example is the assumption that all the
Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012
ISSN 2067 – 4074
11
shared images must have the same
dimension (the proposed attacks could
be improved to allow images with
different dimensions).
An already mentioned problem (in
Section 4.2) is the existence of enough
timeout shares of the participant P1, so
that it does not raise suspicions to the
other participants.
Also, the proposed attack is feasible only
when the attacker receives the share
that is computed specially for him. If the
shares are mixed up before being send
in the distribution phase, then the attack
will most probably fail.
5. Conclusions
This paper considers the extension of
SETUP attack to two particular visual
secret sharing schemes. When the
proper conditions are met, this may
allow the attacker to detect the secret
image without any help of the others
participants. The properties and security
of the proposed methods are analyzed.
Acknowledgment This paper is supported by the Sectorial
Operational Programme Human
Resources Development (SOP HRD),
financed from the European Social Fund
and by the Romanian Government under
the contract number SOP
HDR/107/1.5/S/82514.
References [1] Adrian Atanasiu, Ruxandra Olimid,
Emil Simion: SETUP Attack in Visual
Secret Sharing Scheme, Proceedings of
the 4th International Conference on
Security for Information Technology and
Communications, 2011, pp.7-15.
[2] Elsayed Mohamed, Hassan
Elkamchouchi. Kleptographic Attacks on
Elliptic Curve Cryptosystems,
International Journal of Computer
Science and Network Security, 2010, pp.
213-215.
[3] Elsayed Mohamed, Hassan
Elkamchouchi. Kleptographic Attacks on
Elliptic Curve Signatures, International
Journal of Computer Science and
Network Security, 2010, pp.264-267.
[4] Moni Naor, Adi Shamir. Visual
Cryptography, Advances in Cryptology
- CRYPTO ’94, pp.1-12.
[5] Constantinos Patsakis, Nikolaos
Alexandris. A New SETUP for Factoring
Based Algorithms,IH-MSP ’10
Proceedings of the 2010 Sixth
International Conference on Intelligent
Information Hiding and Multimedia
Signal Processing, 2010.
[6] Adam Young, Moti Yung. The dark
side of ”black-box” cryptography or:
Should we trust capstone?, Advanced in
Cryptology - CRYPTO’ 96, pp.89–103.
[7] Adam Young, Moti Yung.
Kleptography: Using Cryptography
Against Cryptography, Advances in
Cryptology - CRYPTO ’97, pp.62-74.
[8] Adam Young, Moti Yung. The
prevalence of kleptographic attacks on
discrete-log based cryptosystems,
Advances in Cryptology - CRYPTO’97,
pp.264-276.
[9] Adam Young, Moti Yung. Malicious
Cryptography: Exposing Cryptovirology ,
Wiley Publishing, 2004.