Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012

ISSN 2067 – 4074

1

On the Security of Black-Box Implementation of Visual Secret Sharing Schemes

Adrian ATANASIU, Ruxandra OLIMID, Emil SIMION Faculty of Mathematics and Computer Science

University of Bucharest

ROMANIA

aadrian@gmail.com, ruxandra.olimid@fmi.unibuc.ro, esimion@fmi.unibuc.ro

Abstract: Cryptographic software and devices give users the ability to take advantage of the benefits of cryptography more easily. However, this implies that the users must totally trust the manufacturer and the authenticity of the device or software they use. Young and Yung were the first to question the correctness of the manufacturer and considered the advantage that a malicious implementation could offer to a specific attacker. In this paper, we consider a modified version of two visual secret sharing schemes and the advantage that they

provide to the attacker in order to reconstruct the secret by himself, while the other participants must fulfill the honest scheme reconstruction conditions. We also analyze the security of the proposed mechanisms and the conditions in which they can be applicable. Key-Words: SETUP, visual secret sharing, black-box

1. Introduction

Cryptographic devices are used widely

nowadays. They provide the owner the

ability to use cryptographic techniques

more easily, by using some pre-

manufactured devices or software.

However, this involves that the user

totally trusts the manufacturer. Young

and Yung [6] were the first to raise the

problem of the correctness of the

manufacturer and considered the case in

which the manufacturer modifies the

implementation in such a way that the

cryptographic device leaks some secret

information to an attacker. The

information is leaked subliminally and

gives no advantage to other parties

except the attacker, who can recover it

by using a trapdoor. The attack is called

SETUP (Secretly Embedded Trapdoor

with Universal Protection) [6].

Since the introduction of SETUP, attacks

have been developed for encryption

systems, signatures schemes or key

generation algorithms based on factoring

or modular exponentiation ([2], [3], [5],

[6], [7], [8]). We have recently

considered a basic SETUP attack in a

visual secret sharing scheme [1]. In this

paper, we extend this attack and

analyze its security and applicability

more deeply.

The preliminary notions are provided in

Section 2. This includes the notions of

black-box, SETUP mechanism and the

definition of the visual secret schemes

that will be considered through the rest

of the paper. Section 3 introduces the

SETUP in unanimous and (2,n)-threshold

Naor-Shamir visual secret sharing

schemes. In Section 4 we briefly analyze

the security and the applicability of the

proposed attacks. In Section 5, we

conclude.

2. Preliminaries

2.1. Black-Box

A user trusts a cryptographic device only

if it seems genuine. If the user observes

some strange behavior, then he will

change the device for a more trustable

one. So, a contaminated device should

be practically impossible to detect. From

the user perspective, this can be

achieved only if the cryptosystem is

implemented as a black-box.

Definition 1: A black-box cryptosystem

is an efficient probabilistic algorithm that

has readable and writable non-volatile

memory. In other words, it has access to

a fair coin and can store variables across

multiple invocations. Furthermore, the

algorithm and memory are not

www.jmeds.eu

2

externally accessible. Only the input and

the output of the cryptosystem are

accessible [9].

A black-box cryptosystem provides the

user only input and output access to the

hardware or software facility, without

any access to the internal design. So, if

the contaminated device maintains the

indistinguishability of the inputs and

outputs, its malicious behavior remains

hidden to the user.

2.2. SETUP Attack

When implemented as a black-box, the

cryptosystem can be designed to leak

some information, giving the attacker a

unique advantage. This is accomplished

by the SETUP (Secretly Embedded

Trapdoor with Universal Protection)

mechanism, introduced in [6]. The

internal modifications that permit the

implementation of the SETUP should

apparently not affect the input or output

of the cryptosystem. This way, the

cryptosystem seems conform to the

original one and the malicious

implementation is difficult to detect by

an honest user. Even if the honest user

detects an unusual behavior and gains

access to the non-volatile memory,

SETUP mechanism should be designed to

handle reverse engineering. This means

that the attacker maintains his

advantage over other users for all the

past (and ideally, future) runs of the

cryptosystem. More precisely:

Definition 2: A SETUP attack is an

algorithmic modification C’ of a

cryptosystem C with the following

properties:

1) Halting Correctness: C and C’ are

efficient algorithms. That means they

must halt in time polynomial in the

length of their inputs;

2) Output indistinguishability: the

outputs of C and C’ are indistinguishable

to all efficient probabilistic algorithms

except for the attacker;

3) Confidentiality of outputs of C: the

outputs of C are confidential to all

efficient probabilistic algorithms and do

not compromise the cryptosystem that C

implements;

4) Confidentiality of outputs of C’: the

outputs of C’ are confidential to all

efficient probabilistic algorithms and do

not compromise the cryptosystem that

C’ implements;

5) Ability to compromise C’: with

overwhelming probability, the attacker

can decrypt, forge, or otherwise

cryptanalyse at least one private output

of C’ given a sufficient number of public

outputs of C’. [9]

2.3. Visual Secret Sharing Schemes

A secret sharing scheme is a method to

split a secret into n shares, each share

being securely distributed to a

participant. The secret can be

reconstructed only when the participants

belonging to an authorized group

combine their shares together.

Definition 3: A secret sharing scheme

is perfect if it provides no information to

any unauthorized group of participants

(by putting their shares together).

Definition 4: A secret sharing scheme

is unanimous (or (n,n) secret sharing

scheme) if all n shares are needed in

order to reconstruct the secret (the only

authorized group of user is the set of all

users).

Definition 5: A secret sharing is (k,n)-

threshold scheme if any k or more

shares are enough to reconstruct the

secret.

Definition 6: A visual secret sharing

scheme (VSS) is a secret sharing

scheme for which the secret and the

components are images.

We will restrict our work to black and

white images. In this case, each image

(the secret and the shares) is considered

to be a matrix of pixels of 0s and 1s that

correspond by convention to white and

respectively black pixels.

Naor and Shamir are the first to

introduce a visual secret sharing scheme

Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012

ISSN 2067 – 4074

3

[4]. For the rest of the paper, we will

refer to Naor Shamir unanimous (n,n)

and (2,n)-threshold secret schemes.

2.3.1. Naor-Shamir unanimous VSS

Naor-Shamir unanimous (n,n) visual

secret sharing scheme was introduced in

[4]:

1) Computing shares

Consider },...,,{ 21 neeeW where n is

the number of participants and ie is the

n- element vector with 1 on i-th position

and 0 otherwise.

Let 1221 ,...,,n

be the even

cardinality subsets of W and let

1221 ,...,,n

be the odd cardinality

subsets of W (the order is not

important). Each list defines the

following 12 nn matrices

)( 00

ijSS

and )( 11

ijSS :

;2..1,..1,1 10 n

jiij jnieS

;2..1,..1,1 11 n

jiij jnieS

Consider = {all the matrices

obtained by permuting the columns of 0S and = {all the matrices obtained

by permuting the columns of 1S }.

To each pixel in the initial image will

correspond 12 n pixels in each share:

if the pixel is white, an element

from is randomly chosen. The

corresponding pixels in ishare

are given by irow of the selected

matrix;

if the pixel is black, an element

from is randomly chosen. The

corresponding pixels in ishare

are given by irow of the selected

matrix.

2) Reconstruction of the secret image

All shares are OR-ed pixel by pixel.

Then, the 12 n pixel groups are

transformed in a black pixel, if the

number of the 1st is greater than a

given threshold, or white, otherwise. The

reconstructed image becomes identical

to the original one.

Theorem 1: The previous scheme is a

unanimous scheme with n participants,

where: 12 nk is the number of pixels

in each share that correspond to a pixel

in the secret; 12/1 n is the contrast

parameter; !2 1 nr is the cardinal of

and .

Theorem 2: Naor-Shamir unanimous

visual secret sharing scheme is perfect.

For more information and the

demonstration of Theorems 1 and 2, see

[4].

Example 1: Unanimous secret sharing

scheme for 2n participants.

Let the 2 participants be },{ 21 PP.

},{ 21 eeW , where

)0,1(1 e and

)1,0(2 e . The subsets of even

cardinality of W are 2211 },,{ ee

. The subsets of odd cardinality of W

are }{ 11 e

,}{ 22 e.

0S and 1S

become:

10

01;

01

0110 SS

is the collection obtained by all

permutations of columns of 0S and

is the collection obtained by all

permutation of columns of 1S . A matrix

from is used for sharing a white pixel

and a matrix from is used for sharing

a black pixel. All possible

representations of a pixel are shown in

Figure 1.

0C

1C

0C

1C

0C 1C

0C

1C

0C

1C

www.jmeds.eu

4

White

pixel

First share

Second share

Result

Black

pixel

First share

Second share

Result

Figure 1. Possible shares for one pixel in Naor-Shamir unanimous scheme with 2

participants

It is easy to observe that by combining

any 2 shares corresponding to a white

pixel, a white and a black pixel are

obtained, while by combining any 2

shares corresponding to a black pixel,

both obtained pixels are black. So the

contrast parameter is 2/1 .

2.3.2. Naor-Shamir (2,n)-threshold VSS

Naor-Shamir (2,n)-threshold visual

secret sharing scheme is defined as [4]:

1) Computing shares

Let 0S and

1S be nn matrices defined

by:

0...01

............

0...01

0...01

0S

1...00

............

0...10

0...01

0S

Consider = {all the matrices

obtained by permuting the columns of 0S and = {all the matrices obtained

by permuting the columns of 1S }.

To each pixel in the initial image will

correspond n pixels in each share:

if the pixel is white, an element

from is randomly chosen. The

corresponding pixels in ishare

are given by irow of the selected

matrix;

if the pixel is black, an element

from is randomly chosen. The

corresponding pixels in ishare

are given by irow of the selected

matrix.

2) Reconstruction of the secret image

All shares are OR-ed pixel by pixel.

Then, the n pixel groups correspond to a

black pixel, if the number of the 1st is

greater or equal to 2, or to white,

otherwise.

Example 2: Naor Shamir (2,n)-

threshold VSS.

Figures 2 and 3 show all possible shares

for a white pixel and some possible

shares for a black pixel in Naor-Shamir

(2,3)-threshold VSS. It is easy to see

that the contrast of the reconstructed

image gets higher when the number of

participants that cooperate increases,

3. SETUP attack

Consider the following assumptions:

1) The sharing mechanism is

implemented as a black-box that can

store information across multiple

invocations of the sharing algorithm in a

non-volatile memory;

2) The distribution of shares is perfectly

secure, i.e. a participant or an attacker

cannot eavesdrop the share of another

participant;

3) The attacker is always one of the

participants ( 1P by convention, as the

order of participants is not important);

4) More secret images will be shared. In

case of sharing only one secret image,

the attack does not work;

5) All shared images must have the

same dimensions.

0C

1C

0C

1C

Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012

ISSN 2067 – 4074

5

The main goal of the SETUP attack is to

permit the attacker (participant 1P ) to

learn the secret image by using only his

(actual and pasts) shares, in contrast to

any other participant, who needs to

fulfill the honest scheme reconstruction

conditions in order to achieve this.

Participants should not know that the

attack is taking place and should be

robust to reverse engineering.

A trivial attack could be initially

considered: in the distribution phase,

the attacker (participant 1P ) receives

the secret image instead of a valid

share. This would clearly give the

attacker all the secret information.

The honest participants will not be able

to determine the dishonest behavior in

the case of a timeout (i.e. the shares are

not

White

pixel

First share

Second

share

Result

Black pixel

First share

Second share

Result

Figure 2. Possible shares for one pixel in

Naor-Shamir (2,3) scheme when 2 participants cooperate

White pixel

First share

Second share

Third

share

Result

Black pixel

First share

Second share

Third

share

Result

Figure 3. Possible shares for one pixel in

Naor-Shamir (2,3) scheme when 3 participants cooperate

used to reconstruct the secret within a

proper time and new shares – maybe

corresponding to a new secret – are

generated and distributed). However, in

case of reconstruction, participant 1P will

not be able to provide a valid share. So,

if the reconstruction phase is performed

by an honest entity, this trivial SETUP

attack will be revealed.

It could seem that the problem can be

solved if the attacker receives a valid

share besides the secret image. But this

makes the implementation susceptible to

traffic monitoring because the amount of

information sent to this particular

participant increases significantly.

For the rest of the paper, let nPPP ,...,, 21

be the participants. By convention, 1P is

considered the attacker.

Let mSSS ,...,, 21 be the secret images

that will be shared between the

participants and i

n

ii CCC ,...,, 21 the shares

(components) corresponding to the

secret 1S .

The idea of the attack is briefly

explained next. The first secret 1S is

honestly shared using Naor-Shamir

method (subsections 2.3.1 and 2.3.2)

into 11

2

1

1 ,...,, nCCC. Each share

1

jC is

securely transmitted to participant jP .

Component 1

1C is saved into the non-

volatile memory of the black-box sharing

device.

In the first round, the attacker has no

advantage and cannot compute the

secret 1S .

The second secret 2S is shared into 22

2

2

1 ,...,, nCCC by using a modified

dishonest method. This computes 2

1C in

www.jmeds.eu

6

such a way that keeping only the 1

1C

pixels corresponding to 1s in 2

1C the

secret will be revealed. All the other

shares 22

3

2

2 ,...,, nCCC are composed

corresponding to Naor-Shamir scheme,

secret 2S and the first component 2

1C .

Participant 1P receives an apparently

valid share. However, this gives him the

opportunity to compute the secret

without any help of the other

participants, but only knowing his actual

and previous share.

The process repeats for any secret iS by

dishonestly computing the share iC1

based on the previous 1

1

iC. The old

value 1

1

iC is replaced into memory by

iC1 which will be used for the next

round. Participant 1P is able to compute

the secret by himself, using the 2 shares1

1

iC and

iC1 .

3.1. SETUP Attack in Naor-Shamir Unanimous VSS

A SETUP version of the unanimous Naor-

Shamir VSS could be stated as follows:

Input: mSSS ,...,, 21 the secrets to be

share and n the number of participants;

Output: i

n

ii CCC ,...,, 21 , the shares

corresponding to the secret iS , at each

round i

1: if 1i then

2: compute shares 11

2

1

1 ,...,, nCCC using

the honest Naor-Shamir scheme

3: save 1

1C into non-volatile memory

4: else

5: for each pixel ][lS i of the secret iS

do

6: if the pixel is white )0][( lSi

then

7: for 1)1( klj to lk

( i.e. all the k pixels in 1

iC

corresponding to the original pixel ][lS i )

do

8: )2(mod1][][ 1

11 jCjC ii

9: end for

10: elsif the pixel is black

)1][( lSi then

11: for 1)1( klj to lk ( i.e.

all the k pixels in 1

iC corresponding to

the original pixel ][lS i ) do

12: ][][ 1

11 jCjC ii

13: end for

14: end if

15: choose M from 1C so that

the first row equals

][]...1)1[( 11 lkCklC ii

16: for j = 2 to n do

17: j

i

j rowC of M

18: end for

19: replace 1

1iC by 1

iC in non-volatile

memory

20: end for

21: end if

The selection of M is always possible,

because it’s first row either corresponds

to a valid share, or to its negation, which

also represent a valid share.

As a remark, the algorithm maintains

the possibility of parallel

implementation: all pixels of the secret

image can be processed in parallel.

1P (the attacker) will be able to

reconstruct the secret image 1, iSi at

a given round by using the following

algorithm:

Input: iC1 , the share distributed to

participant 1P and n , the number of

participants

Output: 1, iSi the secret image

1: for each ][lS i pixel of the secret iS

do

Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012

ISSN 2067 – 4074

7

2: 1)1( klj

3: while 0][1 jC i

do

4: 1 jj

5: end while

6: ][][

1

1 jClSi

i

7: end for

8: replace 1

1

iC by

iC1 in memory

Example 3: SETUP in (2,2) Naor-

Shamir VSS.

Let us consider the Naor-Shamir

unanimous Visual Secret Scheme with 2

participants and the secret images 1S

and 2S from Figure 4.

Secret P1 P2

S1 C11 C2

1

S2

C12 C2

2

Figure 4. SETUP Attack example

From the SETUP algorithm, 1S is

honestly split (as being the first round),

by using Naor-Shamir visual secret

sharing scheme (subsection 2.2). 1

1C

and 2

1C represent a pair of possible

shares. 1

1C is saved into memory.

The second image is processed, pixel by

pixel (step 5 of the SETUP algorithm).

As the first pixel of 2S is black (step

10), the first 2 pixels in 2

1C are the

same as the first 2 pixels of 1

1C (steps

11-13).

M is chosen from 1C in such a way

that it’s first row would be (1 0):

10

01M

This means that the first 2 pixels of

share 2

2C are white and respectively

black.

For the second pixel of the secret image,

which is also black, the sharing is

performed in the same way.

The third pixel of the secret image 2S is

white, so the algorithm will follow steps

7-9. The corresponding pixels in the first

share are different from the ones in the

previous first share (white becomes

black and black becomes white).

The matrix M is chosen from 0C such

that the first row is (1 0):

01

01M

meaning that the pixels in the second

component are black and white.

The last pixel of the secret is processed

in a similar way, the matrix M being:

10

10M

The attacker (participant 1P ) is able to

reconstruct the second secret image 2S

without the help of the other participant.

In order to do this, he will consider the

colors from the previous share (1

1C ) that

correspond to black in the actual share (2

1C ).

3.2. SETUP Attack in Naor-Shamir (2,n)-threshold VSS

A SETUP version of the unanimous Naor-

Shamir VSS could be stated as follows:

Input: mSSS ,...,, 21 the secrets to be

share and n the number of participants;

Output: i

n

ii CCC ,...,, 21 , the shares

corresponding to the secret iS , at each

round i

1: if 1i then

2: compute shares 11

2

1

1 ,...,, nCCC using

the honest Naor-Shamir scheme

3: save 1

1C into non-volatile memory

4: else

5: for each pixel ][lS i of the secret iS

do

www.jmeds.eu

8

6: if the pixel is white )0][( lSi

then

7: choose random

],1)1[( nlnlr so that

0][11 rC i

8: set 1][1 rC i

9: for1)1( nlj

to nl with rj

( i.e. all the n pixels in 1

iC

corresponding to the original pixel ][lS i ,

except the r-th pixel) do

10: 0][1 jC i

11: end for

12: elsif the pixel is black

)1][( lSi then

13: be],1)1[( nlnlr so that

1][11 rC i

14: set 1][1 rC i

15: for1)1( nlj

to nl with rj

( i.e. all the n pixels in 1

iC

corresponding to the original pixel ][lS i ,

except the r-th pixel) do

16: 0][1 jC i

17: end for

18: end if

19: choose M from 0C so that the

first row equals ][]...1)1[( 11 nlCnlC ii

20: for j = 2 to n do

21: j

i

j rowC of M

22: end for

23: replace 1

1iC by 1

iC in non-volatile

memory

24: end for

25: end if

Intuitively, the color of the pixel in a

secret image is the same as the color of

the pixel in the previous share that is

placed in the same position as the black

pixel in the current share.

The selection of M is always possible,

because it’s first row always corresponds

to a valid share.

1P (the attacker) will be able to

reconstruct the secret image 1, iSi at

a given round by using the following

algorithm:

Input: iC1 , the share distributed to

participant 1P and n , the number of

participants

Output: 1, iSi the secret image

1: for each ][lS i pixel of the secret iS

do

2: 1)1( nlj

3: while 0][1 jC i

do

4: 1 jj

5: end while

6: ][][

1

1 jClSi

i

7: end for

8: replace 1

1

iC by

iC1 in memory

Secret S1 S2

P1 C11 C1

2

P2 C21 C2

2

P3 C31 C3

2

Figure 5. SETUP Attack example

Example 4: SETUP in (2,3) Naor-

Shamir VSS.

Let us consider the Naor-Shamir (2,3)-

threshold VSS and the secret images 1S

and 2S from Figure 5. A possible set of

shares that correspond to the modified

SETUP version is given.

4. Security

Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012

ISSN 2067 – 4074

9

The section analyzes the main security

aspects of the presented SETUP attack

and the conditions that must be met in

order to be applicable.

4.1. Scheme security for an honest participant or a regular attacker

In the worst-case scenario under the

taken assumptions, an honest

participant can know all the past secrets,

all the past used shares of any

participant and all his shares (including

the current one).

In case of unanimous Naor-Shamir VSS,

due to the fact that it is a perfect

scheme, we can also assume that the

participant also knows the actual shares

of all participants, except 1P .

All this should provide him no

information about the actual secret

image. This is achieved because identical

values can lead to different colors of the

actual secret.

Let us consider the unanimous Naor-

Shamir VSS with 2 participants. Figure 6

shows that a white secret pixel followed

either a black or a white secret pixel (or

similarly, a black pixel secret followed by

either a white or a black secret pixel)

can offer to participant 2P identical

information. This way, participant 2P is

revealed no information about the actual

secret image 2S .

The only way participant 2P is able to

reconstruct the secret is by knowing the

component of 1P . For only 2

participants, this lead to the usual

reconstruction phase.

Secret S1 S2 Secret S1 S2

P1 C11 C1

2 P1 C11 C1

2

P2

C21 C2

2 P2 C21 C2

2

Secret S1 S2 Secret S1 S2

P1 C11 C1

2 P1 C11 C1

2

P2

C21 C2

2 P2 C21 C2

2

Figure 6. SETUP Attack provides advantage

only to the attacker

In case n > 2, under the assumption

that the participant realize the existence

of the modified SETUP version, he needs

the share of the attacker P1, which

cannot find unless 1P agrees to hand

over. As a remark, when a SETUP attack

is revealed, any group of users

containing 1P will gain access to the

secret.

A similar result is true for the (2,n)-

threshold Naor-Shamir VSS. For the

current round, we can only consider that

a participant knows his own share (2

shares would be enough to reconstruct

the secret). Without losing generality,

we will consider the case of participant

2P . Figure 7 shows such an example (for

a given S1, all the shares corresponding

to it and the share of P2 corresponding

to S2 are the same, regardless the color

of S2).

A regular attacker, different from 1P or

other honest participant can now

nothing about the secret components

under the assumption that the shares

distribution is perfectly secure, so the

scheme remains secure for outsiders.

4.2. Output Indistinguishability

The SETUP version should be

indistinguishable from the original one

by all efficient probabilistic algorithms

except for the attacker. If it were easily

identifiable, then the users would

change the device to a more trustable

one.

If the reconstruction is done by a

trustable entity which verifies the usage

www.jmeds.eu

10

of SETUP contaminated system, and

fully knows what participant a share

belonged to, the SETUP attack presented

in subsections 3.1 and 3.2 do not fulfill

this property. This is because, at each

reconstruction, the entity could store all

the shares and the corresponding.

S1 S2 S1 S2

P1 C11 C1

2 P1 C11 C1

2

P2

C21 C2

2 P2 C21 C2

2

P3

C31 C3

2 P3 C31 C3

2

S1 S2 S1 S2

P1 C11 C1

2 P1 C11 C1

2

P2

C2 C22 P2 C2

1 C22

P3

C31 C3

2 P3 C31 C3

2

Figure 7. SETUP Attack provides advantage

only to the attacker

secret. When new shares are received,

after the reconstruction of the new

secret image, the entity possesses all

the information of the attacker: the

successive components and the

corresponding secrets

The entity performs the SETUP

reconstruction algorithm for each

participant. If the obtained secret equals

the second reconstructed secret image,

than the participant is susceptible of

being the attacker.

This vulnerability can be easily avoided

by replacing the previous share in SETUP

by a timeout share not used before.

A timeout share is a share that belongs

to a round in which the secret has not

been reconstructed in a proper amount

of time and by security reasons, the

shares were refreshed. In this case, the

share can be no longer known by the

entity that performs the reconstruction,

and the SETUP becomes

indistinguishable.

The reverse is that the number of times

the attacker can compute the secret

image depends on the number of

timeout shares, possible decreasing the

success rate. This is because if a timeout

share is twice used, it provides

information that can lead to attack

revealing. However, this is not a real

problem, since the attacker 1P is able to

create timeout shares when needed, by

not participating to the reconstruction.

However, the attacker may not avoid

reconstruction as many times as it

needs, because he could be suspected of

a strange behavior and eventually

discovered.

4.3. Confidentiality through reverse engineering

In the black-box non-volatile memory it

is kept the last share of the attacker or,

in case of the improvement from the

previous subsection, some timeout

shares. They could be accessed by

reverse engineering. However, this leaks

no information about the past or future

secret shared images, as

it results from Section 4.1.

The SETUP algorithm can be thought as

a one-time pad NOT XOR-ing of the

secret with the previous share, resulting

the second share. By reverse

engineering, it will be provided access to

only one of the 3 values, which makes it

impossible to reveal the secret.

4.4. Applicability of the proposed attack

As we have already mentioned, there

are some requirements that must be

accomplished in order for the attacks to

be feasible. Some of them are normal

assumptions: splitting more than one

secret, consider the attacker as one of

the participants, etc. However, there are

some other assumptions that could not

be normally met in practice. Such an

example is the assumption that all the

Journal of Mobile, Embedded and Distributed Systems, vol. IV, no. 1, 2012

ISSN 2067 – 4074

11

shared images must have the same

dimension (the proposed attacks could

be improved to allow images with

different dimensions).

An already mentioned problem (in

Section 4.2) is the existence of enough

timeout shares of the participant P1, so

that it does not raise suspicions to the

other participants.

Also, the proposed attack is feasible only

when the attacker receives the share

that is computed specially for him. If the

shares are mixed up before being send

in the distribution phase, then the attack

will most probably fail.

5. Conclusions

This paper considers the extension of

SETUP attack to two particular visual

secret sharing schemes. When the

proper conditions are met, this may

allow the attacker to detect the secret

image without any help of the others

participants. The properties and security

of the proposed methods are analyzed.

Acknowledgment This paper is supported by the Sectorial

Operational Programme Human

Resources Development (SOP HRD),

financed from the European Social Fund

and by the Romanian Government under

the contract number SOP

HDR/107/1.5/S/82514.

References [1] Adrian Atanasiu, Ruxandra Olimid,

Emil Simion: SETUP Attack in Visual

Secret Sharing Scheme, Proceedings of

the 4th International Conference on

Security for Information Technology and

Communications, 2011, pp.7-15.

[2] Elsayed Mohamed, Hassan

Elkamchouchi. Kleptographic Attacks on

Elliptic Curve Cryptosystems,

International Journal of Computer

Science and Network Security, 2010, pp.

213-215.

[3] Elsayed Mohamed, Hassan

Elkamchouchi. Kleptographic Attacks on

Elliptic Curve Signatures, International

Journal of Computer Science and

Network Security, 2010, pp.264-267.

[4] Moni Naor, Adi Shamir. Visual

Cryptography, Advances in Cryptology

- CRYPTO ’94, pp.1-12.

[5] Constantinos Patsakis, Nikolaos

Alexandris. A New SETUP for Factoring

Based Algorithms,IH-MSP ’10

Proceedings of the 2010 Sixth

International Conference on Intelligent

Information Hiding and Multimedia

Signal Processing, 2010.

[6] Adam Young, Moti Yung. The dark

side of ”black-box” cryptography or:

Should we trust capstone?, Advanced in

Cryptology - CRYPTO’ 96, pp.89–103.

[7] Adam Young, Moti Yung.

Kleptography: Using Cryptography

Against Cryptography, Advances in

Cryptology - CRYPTO ’97, pp.62-74.

[8] Adam Young, Moti Yung. The

prevalence of kleptographic attacks on

discrete-log based cryptosystems,

Advances in Cryptology - CRYPTO’97,

pp.264-276.

[9] Adam Young, Moti Yung. Malicious

Cryptography: Exposing Cryptovirology ,

Wiley Publishing, 2004.