The Tutorial: Cryptography

kitlunchroomAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)

107 views


The Tutorial:
Cryptography


Yu
-
Hsiang Wang

(
王昱翔
)

E
-
mail: r98942059@ntu.edu.tw

Graduate Institute of Communication Engineering

National Taiwan University, Taipei, Taiwan, ROC


Abstract


In this report, we introduce some techniques of the cryptography since
1976. In
the beginning, the Data Encryption Standard (DES) is discussed for

the reason that

this is the primary cryptosystem formally accepted by National Bureau of Standards.
As the time goes by,
the DES algorithm is substituted by the

Advanced Encryption

Standard (AES) because of the easily break of DES in this era of scientific and
technological progress.

After

introducing the fundamental algorithms of the
cryptography, we mention two applications in the cryptograph
y. The first one is
watermark
.

I
t is
very important application in the problem of copyright. The other one
is visual cryptography
. The encryption and decryption of this technique are

based on
human visual
. We survey the concept of visual cryptography and introduce a data
hiding algorithm in i
mage size invariant visual cryptography.


1.

Introduction

Cryptography

is the study of hiding some confidential information. The current
cryptography crosses over the mathematics, engineering, and computer science. The
applications of cryptography embrace all

cases in our daily life, e.g. ATM cards,
network security, video and audio.
The cryptography covered field is very extensive.
In this report, we prefer introduce the conventional algorithm:
the Data Encryption
Standard (DES) and the

Advanced Encryption St
andard (AES). These two algorithms
are selected as an information processing standard by
National Bureau of Standards

and National Institute of Standards and Technology in different century, respectively.
The most
different

between them is distinct length of their key. The key length of AES
algorithm is much longer the DES. In
c
hapter 2 and 3, we will detailed introduce the
constructions and the functions of both algorithms, respectively. Next

in chapter 4 and
5
, we take the

focus on
some applications relevant with the cryptography, e.g. the
watermarking and the visual cryptography. Both of them is widely applied on the
copyright protection, commercial image transaction, content authentication, and
trusted camera. For waterma
rking, we
concentrate on the public key verification
watermark, which is the extension of the secret key scheme. Regard to the visual
cryptography
, we not only refer the conventional visual secret sharing (VSS) system
but also the
size

invariant VSS, which

is the refined vision of conventional VSS.
Finally, we introduce the integration between the data hiding and the visual
cryptography
.


2.

DES

Algorithm


The Data Encryption Standard (DES) is one of the cryptosystems. This
cryptosystem was selected as
Federal

Information Processing Standard

(FIPS) by
National Bureau of Standards

in 1976.
The speed of
DES

s
encryption

and decryption
is fast, but

the drawback of
DES is that the length of

its key

only has 56 bits. So that
it
is possible to crack
DES in
a

day
with

today

s technology.

In the following, we will describe the detail of the DES algorithm because that
DES remains an important model for the construction of secure block ciphers.

2.1
The Construction of DES


Given a
plaintext

p

of
length 2
t

with alphabet {0, 1}.

We
split it into two halves
of length
t

and it can be shown as


0 0
,
p L R

, where
0
L

is the left halt and
0
R

is
the right half.
Then we can
construct the sequence








1 1 1
,,, 1
i
i i i i K i
L R R L f R i r
  
   
,


(
2
.
1
)

and set






0 0
,,
k r r
E L R L R

,


(
2
.
2
)

W
here
k
f

is the encryption function for the key
K
,

r is a number of rounds, so we
may get a key space
K

contained

sequences
(
K
1
,

,
K
r
)
of round keys.

k
E

is the
encryption function of DES for key
k

K
.


Similarly, the decryption of DES could derive from
(2.1)
shown as








1 1
,,, 1
i
i i i i K i
R L L R f L i r
 
   
,


(
2
.
3
)

In the
decryption,
r

rounds make process with the reverse key sequence (
K
r
,
K
r
-
1
,

,
K
1
), so the plaintext (
R
0
,
L
0
)

is reconstructed from the ciphertext (
R
r
,
L
r
).

Next, we
introduce
DES

s three steps: initial permutation, internal block cipher, and keys
.

2.
2
Initial
permutation

(IP)


First of all, DES
permutes
p

by IP table shown in Table 2.1. The initial
permutation (IP) is a bit permutation on bit vectors of length 64 that is dependent of
the chosen key.

The usage of Table 2.1 is if
p

=
p
1
p
2

p
3



p
64
, IP(
p
) =
p
58
p
50
p
42



p
7
.

After finish all rounds, the ciphertext is constructed using the inverse permutation IP
-
1
.
For example, a 8
-
round cipher, the ciphertext is


1
8 8
c IP R L


.


Table 2.1 The initial permutation IP.

IP

58

50

42

34

26

18

10

2

60

52

44

36

28

20

12

4

62

54

46

38

30

22

14

6

64

56

48

40

32

24

16

8

57

49

41

33

25

17

9

1

59

51

43

35

27

19

11

3

61

53

45

37

29

21

13

5

63

55

47

39

31

23

15

7

IP
-
1

40

8

48

16

56

24

64

32

39

7

47

15

55

23

63

31

38

6

46

14

54

22

62

30

37

5

45

13

53

21

61

29

36

4

44

12

52

20

60

28

35

3

43

11

51

19

59

27

34

2

42

10

50

18

58

26

33

1

41

9

49

17

57

25


2.
3 Internal block cipher


The internal block cipher is the encryption function

f
K

in (2.1)
, where input is
{0, 1}
32

and output is {0, 1}
32

with a key


48
0,1
K

.

Fig. 2.1 shows the structure of
internal block cipher. In the beginning, the argument


32
0,1
R


is expanded by
expand function E:




32 48
0,1 0,1

. This function is shown in Table 2.2 and the
usage is t
he same as Table 2.1.

Subsequently,
compute



E R K


and divide the
result into 8 blocks Bi,
1 8
i
 
of length 6, presented as



1 2 3 4 5 6 7 8
E R K BB B B B B B B
 
.


Next, use
function
s




6 4
:0,1 0,1, 1 8
i
S i
  
called
S
-
boxes.

The
S
-
boxes
are the core of DES because they are highly nonlinear. They are shown in Table 2.4
with 4 rows and 16 columns for each box.

The computing method is as follows. For
each
1 2 3 4 5 6
B bb b b b b

, the

integer with binary expansion

1 6
b b

is used as
the row
index and the middle integer with binary expansion
2 3 4 5
b b b b

is used as the columns
index. The entry of the
S
-
box in this row and column is written in binary expansion
with length 4. For example
S
1
(101010), the first bit is 1 and the last bit is 0, so the row
index is a integer with binary expansion 10 (i.e., 2)

and the column index is a integer
with binary expansion 0101 (i.e., 5).

The entry in row 2 and column 5 of the first
S
-
box is 6 and its bin
ary expansion is 110. Consequently,
S
1
(101010) = 0110.


So t
he expression

of output from
S
-
boxes

is


, 1 8
i i i
C S B i
  

and the
string
1 2 3 4 5 6 7 8
C CC C C C C C C

,


32
0,1
C

. Finally,
after letting
C

compute
permutation P from Table 2.3, the result
f
K
(
R
) can be obtained.



Fig. 2.1 The
encryption function
f
K

of DES
.



Table 2.2 The function E.

E

32

1

2

3

4

5

4

5

6

7

8

9

8

9

10

11

12

13

12

13

14

15

16

17

16

17

18

19

20

21

20

21

22

23

24

25

24

25

26

27

28

29

28

29

30

31

32

1


Table 2.3 The function P.

P

16

7

10

21

29

12

28

17

1

15

23

26

5

18

31

20

2

8

24

14

32

27

3

9

19

13

30

6

22

11

4

25





Table 2.4
S
-
boxes of DES
.

Row

Column

[0]

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

S
1

[0]

14

4

13

1

2

15

11

8

3

10

6

12

5

9

0

7

[1]

0

15

7

4

14

2

13

1

10

6

12

11

9

5

3

8

[2]

4

1

14

8

13

6

2

11

15

12

9

7

3

10

5

0

[3]

15

12

8

2

4

9

1

7

5

11

3

14

10

0

6

13

S
2

[0]

15

1

8

14

6

11

3

4

9

7

2

13

12

0

5

10

[1]

3

13

4

7

15

2

8

14

12

0

1

10

6

9

11

5

[2]

0

14

7

11

10

4

13

1

5

8

12

6

9

3

2

15

[3]

13

8

10

1

3

15

4

2

11

6

7

12

0

5

14

9

S
3

[0]

10

0

9

14

6

3

15

5

1

13

12

7

11

4

2

8

[1]

13

7

0

9

3

4

6

10

2

8

5

14

12

11

15

1

[2]

13

6

4

9

8

15

3

0

11

1

2

12

5

10

14

7

[3]

1

10

13

0

6

9

8

7

4

15

14

3

11

5

2

12

S
4

[0]

7

13

14

3

0

6

9

10

1

2

8

5

11

12

4

15

[1]

13

8

11

5

6

15

0

3

4

7

2

12

1

10

14

9

[2]

10

6

9

0

12

11

7

13

15

1

3

14

5

2

8

4

[3]

3

15

0

6

10

1

13

8

9

4

5

11

12

7

2

14

S
5

[0]

2

12

4

1

7

10

11

6

8

5

3

15

13

0

14

9

[1]

14

11

2

12

4

7

13

1

5

0

15

10

3

9

8

6

[2]

4

2

1

11

10

13

7

8

15

9

12

5

6

3

0

14

[3]

11

8

12

7

1

14

2

13

6

15

0

9

10

4

5

3

S
6

[0]

12

1

10

15

9

2

6

8

0

13

3

4

14

7

5

11

[1]

10

15

4

2

7

12

9

5

6

1

13

14

0

11

3

8

[2]

9

14

15

5

2

8

12

3

7

0

4

10

1

13

11

6

[3]

4

3

2

12

9

5

15

10

11

14

1

7

6

0

8

13

S
7

[0]

4

11

2

14

15

0

8

13

3

12

9

7

5

10

6

1

[1]

13

0

11

7

4

9

1

10

14

3

5

12

2

15

8

6

[2]

1

4

11

13

12

3

7

14

10

15

6

8

0

5

9

2

[3]

6

11

13

8

1

4

10

7

9

5

0

15

14

2

3

12

S
8

[0]

13

2

8

4

6

15

11

1

10

9

3

14

5

0

12

7

[1]

1

15

13

8

10

3

7

4

12

5

6

11

0

14

9

2

[2]

7

11

4

1

9

12

14

2

0

6

10

13

15

3

5

8

[3]

2

1

14

7

4

10

8

13

15

12

9

0

3

5

6

11


2.
4 Keys Computation


In this section, we explain the computation procedure of the round keys. First, let


64
0,1
k


be a DES key and create the round keys
, 1 16
i
K i
 

with length 48.

Then we define

the values
, 1 16
i
i

 
as follows.



1 for 1, 2, 9, 16
2 otherwise
i
i






,

and


the functions






64 28 28
PC1:0,1 0,1 0,1
 

and






28 28 48
PC2:0,1 0,1 0,1
 
.



The steps of the round keys are shown as below.

set (
C
0
,
D
0
) = PC1(
k
);

for i:= 1 to 16 do

(A)

Compute string
C
i

derived from
C
i
-
1

by
a circular left shift of
i


points.

(B)

Compute string
D
i

derived from
D
i
-
1

by a circular left shift of
i


points.

(C)

Decide
K
i

= PC2(
C
i
,
D
i
).

end



The function PC1 transforms a bitstring
k

with length 64 to two bitstrings
C

and
D

with length 28 according to Table 2.5
(a)
. The function PC1 in Table 2.5
(a)

is
divided into two halves. The upper half

presents
C
. If k = k
1
k
2

k
64
,
C

= k
57
k
49

k
36
.
The lower half presents
D
, where
D

=

k
63
k
55

k
4
.

The function PC2 transforms (
C
,
D
)
of bitstrings to a bitstring with length 48 according to Table 2.5(b), e.g. PC2(b
1
b
2

b
56
)
=
b
14
b
17

b
32
.


Table 2.5(a) The function PC1and (b) PC2.

(a)

PC1

57

49

41

33

25

17

9

1

58

50

42

34

26

18

10

2

59

51

43

35

27

19

11

3

60

52

44

36

63

55

47

39

31

23

15

7

62

54

46

38

30

22

14

6

61

53

45

37

29

21

13

5

28

20

12

4


(b)

PC2

14

17

11

24

1

5

3

28

15

6

21

10

23

19

12

4

26

8

16

7

27

20

13

2

41

52

31

37

47

55

30

40

51

45

33

48

44

49

39

56

34

53

46

42

50

36

29

32



3.

AES Algorithm


The Advanced Encryption Standard (AES) is a symmetric
-
key encryption
standard selected by National
Institute of Standards and Technology (NIST)

and
substituted the DES
algorithm

in 2001.
AES is a block cipher with alphabet
2
,


0, 1, 2, 3, ...
   

and is a special case of the Rijndael cipher. In the Rijndael
cipher more different block lengths and ciphertext spaces are possible than in AES.

The Rijndael cipher is mainly composed of the encryption function
Cipher

and
the
key function
KeyExpansion
.

W
e will describe two functions in following subsections.

Before
introduce the AES algorithm
, we define some parameters previously
.

Nb
: The plaintext and ciphertext blocks

are

compose
d

of
Nb

32
-
bit words,
4 8
Nb
 
.

So the Rijndael block length is
Nb
*32 and then AES block is
4*32.

Nk
: The key is composed of
Nk

32
-
bit words,
4 8
Nk
 
. So the Rijndael key
space is
2
*32
Nk

and AES has
Nk

= 4, 6, or 8.

So the AES key space is
2
128
,
2
192
, or
2
256
.

Nr
:

Number of rounds.

AES has
10 for 4,
12 for 6,
14 for 8.
Nk
Nr Nk
Nk



 






The plaintext and ciphertext are shown as two
-
dimensional arrays have four rows
and
Nb

columns. The plaintext and ciphertext of AES is as follow.

0,0 0,1 0,2 0,3
1,0 1,1 1,2 1,3
2,0 2,1 2,2 2,3
3,0 3,1 3,2 3,3
s s s s
s s s s
s s s s
s s s s
 
 
 
 
 
 
 
,

where
s
i,
j

is a byte of a bit
-
vector of length 8 and
s
i,0
s
i,
1
s
i,2
s
i,3

is a word of a bit
-
vector
of length 32.


3
.1 Cipher


We present the encryption function
Cipher
. The input is the plaintext block
byte
in[4,
Nb
]

and the expanded key
word w[
Nb
*(
Nr
+1)]
.

The output is the ciphertext block
byte out[4,
Nb
]
.
In the beginning, the plaintext
in

is copied into byte
state

and
transformed
state

by
AddRoundKey
. Then in the first
Nr
-
1 rounds, apply

the
transforms
SubBytes
,
ShiftRows
,
MixColumns

and
AddRoundKey

for

state
. In the last
round only, only use
SubBytes
,
ShiftRows

and
AddRoundKey
.




Algorithm

3
-
1:
The AES function cipher

Cipher(byte in[4,
Nb
], byte out[4,
Nb
], word w[
Nb
*(
Nr
+1)])

begin

byte state[4,
Nb
];

state = in;

AddRoundKey(state, w[0,
Nb
-
1]);

for round = 1 step 1 to
Nr
-
1

SubBytes(state);

ShiftRows(state);

MixColumns(state);

AddRoundKey(state, w[round*
Nb
, (round+1)*
Nb
-
1]);

end for

SubBytes(state);

ShiftRows(state);

AddRoundKey(state, w[
Nr
*
Nb
, (
Nr
+1)*
Nb
-
1]);

out = state;

end



Before describing the transforms, we previously define the role byte plays in the
Rijndael cipher.
Bytes are identified with elements of the finite field GF(2
8
). We can
use
the

polynomial



8 4 3
1
m X X X X X
    
.

Because this polynomial is irreducible
over GF(2), we can write GF(2
8
) = GF(2)(
α
),
where
α

satisfies the equation:
α
8

+
α
4

+
α
3

+
α

+ 1 = 0.

So the byte (
b
7
b
6
b
5
b
4
b
3
b
2
b
1
b
0
)

corresponds to the element
7
0
i
i
i
b




of GF(2
8
). Therefore, bytes can be added,
multiplied, and inverted except zero cannot be inverted. We set
b
-
1

as the inverse of a
byte
b
, e.g. 2
-
1

= 2 or 0
-
1

= 0.


Then we give an example, the byte b = (0, 0, 0, 0, 0, 0, 1, 1) corresponds to the
field element
α

+
1 and


1
7 6 5 4 2
1
      

      
.

So


1
1,1,1,1,0,1,1,0
b


. In the following three subsect
ions, we describe functions
SubB
yte
,
ShiftRows
, and
MixColumns
.


3
.
1.1

SubBytes


SubBytes

is a non
-
linear function. It transform
s

each byte of state to


1
Ab c b

 
,


(
3
.
1
)


where
1 0 0 0 1 1 1 1 1
1 1 0 0 0 1 1 1 1
1 1 1 0 0 0 1 1 0
1 1 1 1 0 0 0 1 0
and
1 1 1 1 1 0 0 0 0
0 1 1 1 1 1 0 0 1
0 0 1 1 1 1 1 0 1
0 0 0 1 1 1 1 1 0
A c
   
   
   
   
   
   
 
   
   
   
   
   
   
   
.

Among the equation,
b

is a bit
-
vector with 2
8

possible arguments. The
S
-
box table can
imply in the
SubBytes
.

For example, if we apply to b = (0, 0, 0, 0, 0, 0, 1, 1), then it
can decide the value of the
S
-
box. Because we have known


1
1,1,1,1,0,1,1,0
b


before,


1
0,1,1,0,0,1,1,1
Ab c

 
. The
S
-
box ensures
the

non
-
linearity of AES.


3.
1.2

ShiftRows


In function
ShiftRows
, it applies cyclic left
-
shifts to the rows of the matrix. The
transform is shown as below. The left matrix has 4 rows and
Nb

columns and each
entries are bytes. The right matrix is the cyclic left shifts result.


0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3
1,0 1,1 1,2 1,3 1,1 1,2 1,3 1,0
2,0 2,1 2,2 2,3 2,2 2,3 2,0 2,1
3,0 3,1 3,2 3,3 3,3 3,0 3,1 3,2
s s s s s s s s
s s s s s s s s
s s s s s s s s
s s s s s s s s
   
   
   

   
   
   
   
,


(
3
.
2
)


Generally, the cyclic left
-
shifts of
c
i

positions are applied the
i
th row with
c
i

in
Table
3
.
1
.

Table
3
.
1

The Cyclic left
-
shift in
ShiftRows
.

Nb

c
0

c
1

c
2

c
3

4

0

1

2

3

5

0

1

2

3

6

0

1

2

3

7

0

1

2

4

8

0

1

3

4




3.
1.3

MixColumns


A state


0,1,2,3,
,,,
j j j j j
s s s s s


for
0
j Nb
 
, which can be recognized as the
polynomial






2 3 8
0,1,2,3,
2
j j j j
s s x s x s x GF x
   
.


(
3
.
3
)

The function MixColumns is








4
* mod 1, 0
j j
s s a x x j Nb
   
,


(
3
.
4
)

where










3 2
03 * 01 * 01 * 02
a x x x x
   
.

Furthermore, it can be presented as a linear transformation in GF(2
8
)
4

shown as


































02 03 01 01
01 02 03 01
, 0
01 01 02 03
03 01 01 02
j j
s s j Nb
 
 
 
  
 
 
 
 
,


(
3
.
5
)


3.1.4 AddRoundKey


Define
s
0
,

,
s
Nb
-
1

as the columns of state and the function
AddRoundKey
(state,
w[1*
Nb
, (l+1)*
Nb
-
1]) is




*, 0
j j
s s w l Nb j j Nb
    
.


(
3
.
6
)

In this function the words of
the round key are added mod 2 to the columns of state
and let each round key dependent.


3.2 KeyExpansion


The algorithm
KeyExpansion

is in order to expand a Rijndael key
key
, which is a
byte array of length 4*
Nk

and the expanded key
w
, which is a word arr
ay of length
Nb
*(
Nr
+1). The pseudocode of
KeyExpansion

is
displayed in following.



Table 3.2 The function
KeyExpansion

in AES.

KeyExpansion (byte key[4*
Nk
], word w[
Nb
*(
Nr
+1)]
,
Nk
)

Begin

word temp;

i = 0;

while (i <
Nk
)

w[i] = word(key[4*i], key[4*i+1],
key[4*i+2], key[4*i+3]);

i = i + 1;

end while

i =
Nk
;

while (i <
Nb
*(
Nr
+1))

temp = w[i
-
1];

if (i mod
Nk

= 0)

temp = SubWord(RotWord(temp)) xor Rcon[i/
Nk
];

else if (
Nk

> 6 and i mod
Nk

= 4)

temp = SubWord(temp);

end if

w[i] = w[i
-
Nk
] xor temp;

i = i + 1;

end while

end



In the beginning, the first
N
k words
w

are filled with the bytes of
key

by using
the function
word
, which concatenates its arguments.

The function
SubWord

applies
the previous mentioned function
SubBytes

in 3.1.1. Its input is a word, which can be
written as a sequence (
b
0
,
b
1
,
b
2
,
b
3
)

of bytes. Each byte is transformed by (3.1) shown
as






1 1 1 1
0 1 2 3 0 1 2 3
,,,,,
Ab c Ab c Ab Ab c b b b b
   
    
.


(
3
.
7
)

And the input of
RotWord

is also a word (
b
0
,
b
1
,
b
2
,
b
3
). The output is






0 1 2 3 1 2 3 0
,,,,,,
b b b b b b b b

.


(
3
.
8
)

Besides, we have
Rcon
[n] = ({02}
n
, {00}, {00}, {00}).


4.

Cryptography for Watermark
ing


Digital watermarking is a technique to insert a digital signature into an image so
that the signature can be extracted i
n order to
ownership

verification or authentication.
There are many different types of watermarking schemes for different applications.
One type of watermark makes sure the integrity of images because digital image can
be tampered with ease.
The ability to

detect
any changes is important

in many
applications
, e.g.

medical archiving or illegal usage.
Another type is for image
authentication, e.g. when a buyer buys a digital image from a seller on network. After
the seller transmits
the

digital image to the buyer over network, the buyer wants to
check the integrity of the received image and whether this image is sent by the seller.


In this section, we survey a public key watermarking algorithm for image
integrity verification

[4]
.

This
algorithm is extended from the secret key verification
watermark. In this system,
the

owner of the image inserts a watermark by a private
key
K


and any person can use the public key
K
, which is corresponding to the private
key
K


to extract a watermark. S
o that we can detect if that exists any change in the
watermarked image according to observe the extracted watermark.


4.1 Pre
-
set


Define a grayscale image
x
m,

n
, a binary watermark image
b
m,

n

and a
watermarked image
y
m,

n

of size M by N pixels.

Then we partition both the image and
watermark image into blocks of size
I

by
J

pixels. After that each block of
b
m,

n

is
inserted into the corresponding block of
x
m,

n

to derive
the

watermarked block of
y
m,

n
.

The watermark insertion and extraction proce
dures are presented in 4.2 and 4.3.


4.2 Watermark Insertion


Let
X
r

denote the
r
th

block of data in the image
x
m,

n

and the corresponding block
r
X
, which each element in
r
X

equals the corresponding element in
X
r

except that
the least significant bit is set to zero. Then we compute the hash






1 2
,,,,...,
r r r
r s
H M N X t t t

.


(
4
.
1
)

where
H

is a cryptographic hash function, e.g. the MD5 [5]
,
r
i
t

denotes the output
bits from the hash function, and
s

is size of the output bits which is depend on
the

hash function chose.
Carefully, the block size
I
*
J

should satisfy
*
I J s

.
Consequently, set
T
r

as the first I*J bits from the bit stream shown as


1 2
,,...,
r r r
r IJ
T t t t

and use exclusive
-
OR

to combine
T
r

with a corresponding block
B
r

in
b
m,

n
,

i.e.
r r r
W T B
 

where


denotes the element
-
wise exclusive
-
OR

operation between
the

two blocks.


After derive
W
r
, we encrypt
W
r

with a public key cryptographic system

[6]

to get




'
r K r
C E W

.


(
4
.
2
)

where
E

is the encryption function of
the

public key system and
K


is the private key.
Then we insert the binary block of data
C
r

into the least significant bit of
r
X

to form
a block
Y
r

of the
watermarked

image. The watermark insertion procedure is shown in
Fig. 4
.
1.



Fig. 4
.
1 A public key watermarking algorithm: the watermark insertion procedure.

[4]


4.3 Watermark Extraction


Assume
Z
r

denote the image block, we split
Z
r

into two pieces. The first piece
G
r

contains the least significant bits, and the second piece
r
Z

contains the pixel values
except the least significant bits
. We compute the hash function of
M
,
N

and
r
Z
,




1 2
,,,,...,
r r r
r s
H M N Z q q q


and use
Q
r

denote the first 64 bits of


,,
r
H M N Z
.
Then we decrypt
G
r

by a decryption algorithm [6] with
the

public key
K

that
corresponds to the private key
K


used in the watermark insertion.




r K r
U D Z

.


(
4
.
3
)

Finally we can use the element
-
wise exclusive
-
OR

operation to compute the output
block
r r r
O Q U
 
.

The

watermark extraction procedure is shown in Fig. 4
.
2.


Fig. 4
.
2 A public key watermarking algorithm: the

watermark extraction procedure.
[4]



Note that if
Z
r

=
Y
r
, then
r r
Z X


and
G
r

=
C
r
, so
P
r

=
Q
r

and
U
r

=
W
r
. Hence
the

output binary image
O
r

is

identical to the block
B
r
. When the watermarked image
had been tampered, the output binary image will appear similar to random noise due
to the property of
hash function.


5.

Visual Cryptography and Data Hiding

5.1 Visual Cryptography


In
encryption procedure, v
isual c
ryptography

[7]

is a technique for hiding a
two
-
tone secret image into a set of binary transparencies which seem like random
noise. In the decryption step, the secret image can be observable by human visual
system by stacking
some transparencies.

Generally,
v
isual c
ryptography

use a visual
secret sharing (VSS) scheme based on a {
k
,
n
} threshold framework, where
n

means a
secret image will be hidden in
n

transparencies, and k is that we can stack
k

or more
than
k

transparencies
to reconstruct the secret image in visual.


5.1.1 The conventional {2, 2} VSS


In the conventional {2, 2} VSS,

a secret image is encrypted into two
transparencies and

there exists six 2
*
2 codewords shown

in Fig. 5
.
1. Form Fig. 5
.
1,
we can see that each codeword contains two white pixels and two black pixels, this is
for the purpose of producing random noise in transparencies.







c
1

c
2

c
3

c
4

c
5

c
6

Fig. 5
.
1 The codewords of the conventional {2, 2} VSS. [7]


In encryption

part, each secret pixel is encrypted into two 2
*
2 codewords. So
each white (black)

pixel has six pairs in encryption part

shown in
Table. 5
.
2
. For
white pixel, it can be encrypted into six types {(
c
1
,
c
1
), (
c
1
,
c
2
), (
c
3
,
c
3
),

(
c
4
,
c
4
),

(
c
5
,
c
5
),

(
c
6
,
c
6
)}, where the former codeword is assigned to the first transparency and the latter
one is assigned to the second transparency. Each combination appears with an equal
probability. Similarly, a black pixel is encrypted into six combinations {(
c
1
,
c
2
),

(
c
2
,
c
1
),

(
c
3
,
c
4
),

(
c
4
,
c
3
),

(
c
5
,
c
6
),

(
c
6
,
c
5
)
}
. Therefore, a
k
1
*
k
2

secret will be encrypted into
two 2
k
1
*2
k
2

transparencies

(
T
1

and

T
2
)
.

After combine two transparencies, the
reconstructed image
R

can be
derived
.

There is an example of the conventional {2, 2}
VSS shown in Fig. 5
.
2
.


Table. 5
.
2 The encryption and decryption types of the conventional {2, 2} VSS.

[8]

S
ecre
t

T
1

T
2

S
tack in
R









C
0



























C
1





















Fig. 5
.
2 The
example of the conventional {2, 2} VSS, (a) the secret image, (b) the
transparency
T
1
, (c) the transparency
T
2
, (d)
the stacking output of
T
1

and
T
2
. [8]



The drawback of the
conventional VSS is that the transparencies will be
expanded several times, e.g. for the conventional {2, 2} VSS are
four times of the
original secret image.
It is
a heavy

load
ing

for the storage space and
the

network
bandwidth. So that
the image size inva
riant visual cryptography was announced in
1999.


5.1.2 The image size invariant {2, 2} VSS


Ito et al. [9] designed an image size invariant VSS. This technique is based on
the probabilistic principle
. Different to the conventional
{2, 2} VSS,
Ito et al.

s

model
only has two single pixel codewords shown in Fig. 5
.
3
. The same partition with the
conventional
{2, 2} VSS is that there has two choices for a white pixel and a black
pixel encryption, too.

The encryption and decryption types of t
he image size invar
iant
{2, 2} VSS

are shown in
Table
.
5
.
2
.

If we want to encrypt a white (black) pixel, then
just randomly choose a column from
C
0

(
C
1
) and assign them to the two
transparencies, respectively.

When we need to decrypt pixels, compute the
exclusive
-
OR
operation between the pixels of two transparencies. T
here is an example
of the
image size invariant {2, 2} VSS in Fig. 5
.
4
.




c
1

c
2

Fig. 5
.
3
The codewords of the
image size invariant

{2, 2} VSS. [8]


Table 5
.
2 The encryption and decryption types of
the

image size invariant

{2, 2} VSS.
[8]

Secret


C
0


C
1

T
1





T
2





stacking





XOR







Fig. 5
.4

The
example of the
image size invariant

{2, 2} VSS, (a) the secret image, (b)
the transparency
T
1
, (c) the transparency
T
2
, (d) the stacking output of
T
1

and
T
2
. [8]


5.1.3 The characteristics of visual cryptography


For visual cryptography, it has some
advantages

[10]
:

a.

Complete security.

b.

Robust method against the loss of compression and distortion because of the
property of
binary.

c.

Do not need computer device for decryption.

The drawback of visual cryptography:

a.

The resolution of t
he restored secret image
is lower than the original secret
image.

b.

If we
want

to apply the visual cryptography in color image, there have to add
some

extra processing such as halftoning and color
-
separation.

c.

The superposition of two
transparencies is not easy to accomplish unless it
provides some special alignment marks.


5.2

Combination of

Data Hiding

and
Visual Cryptography


Data Hiding can be applied in tamper detection, content authentication,
and
copyright protection.

Presently, lots of image data hiding techniques have been
proposed, e.g. for the cover media of audios, images, and videos. I
n this section, we
survey an algo
rithm [8]
of hiding some important data by image size invariant visual
cryptography.


5.2.1
Data Hid
ing

and Encryption


Let the secret image
I

be an
M
*
N

halftone image and
the

hidden data
W

is an
M
*
N
/2 binary image.

The sizes of the two transparencies
T
1

and
T
2

are
M
*
N

because
it uses
image size invariant visual cryptography here.

We assume 0 and 1 denote a
black and a white pixel, respectively.
The encryption procedure is three pixels
considered at a same time which is 1 bit data hiding
w
c

and 2 bit secr
et image data (
s
c
,
s
c
+1
)
.
The
computation order is first: data
w
c

is hidden in
T
1
(
x
,
y
) and
T
2
(
x
,
y
+1
) in (5.1),
the second step:
s
c

is encrypted in
T
1
(
x
,
y
) and
T
2
(
x
,
y
) in (5.2), and the last step:
s
c
+1

is
encrypted in
T
1
(
x
,
y
+1
) and
T
2
(
x
,
y
+1
) in (5.3).
The encrypted scheme is presented in
Fig. 5.5.


Fig. 5.5 The encrypted and data hiding scheme.









1
2
1
,if 0
,1
1,if 1
c
c
T x y w
T x y
T x y w



 

 


.


(
5
.
1
)








1
2
1
1,if 0
,
,if 1
c
c
T x y s
T x y
T x y s

 






.


(
5
.
2
)








2 1
1
2 1
1,1 if 0
,1
,1 if 1
c
c
T x y s
T x y
T x y s



  

 

 


.


(
5
.
3
)


5.2.2 Data Extraction and Decryption


In decryption,
the

secret

image and the hidden data can be extracted by using the
exclusive
-
OR operation. The hidden data extraction is presented in (5.4) and the
reconstruction of secret image (
s
c
,
s
c
+1
) is expressed as (5.5) and (5.6). Th
ese

two
processes are independent with ea
ch other.








1 2
,,,1
c
w XOR T x y T x y
 
.


(
5
.
4
)








1 2
,,,
c
s XOR T x y T x y

.


(
5
.
5
)








1 1 2
,1,,1
c
s XOR T x y T x y

  
.


(
5
.
6
)

The experimental results of data hiding in image size invariant visual cryptography
are shown in Fig. 5.6 [8].


Fig. 5.6 The experi
mental results of
the combination of the data hiding and the visual
cryptography. (a) the secret image, (b) the original watermark, (c) the transparency
T
1
,
(d) the transparency
T
2
, (e)
the

stacking results of
T
1

and
T
2
. (f) the rebuilt secret
image, (g)
the

extracted watermark.


6.

Conclusion

The DES algorithm and the AES algorithm are both great cryptography algorithm
and both of them are broadly applied in the 20
th

century and the beginning of the 21
th

century. However,
the

DES algorithm is replaced by the

AES algorithm and the RSA
algorithm because of the length of DES

s key is so short that induce someone

can

spend

only a day

crack
the DES. In this report, we did not discuss the RSA algorithm,
but it does not mean RSA is not important. Actually, the RSA a
lgorithm is vastly
applied in lots of field
. Until 2008 there does not appear a reliable cracking method
can crack the RSA as long as the length of RSA

s key is l
ong enough. Nevertheless,
the RSA only loses to the DES and other
symmetric

algorithm is that the RSA need
more time than them.

For the applications of the cryptography, we introduce

the combination about the
cryptography with

the
watermarking or the visual cryptography in data hiding. Both
of watermarking and visual cryptograph
y are for the purpose of concealing some
significant information
.

For the public key authentication watermark, if we use the
private key to insert
the

watermark, the watermark can be extracted by a public key. It
is conve
nient for everyone who can use the
public to check the image without
exchanging the private key.

For data hiding in image size invariant visual
cryptography, both the secret image and the hidden information can be losslessly
reconstructed with exclusive
-
OR operation.

That proves this techni
que is practical.


Reference

[1]
J.

Buchmann,
Introduction to cryptography
, 2nd Ed., Springer, New York,
2004.

[2]

F. Mintzer, G. Braudaway, and M. M. Yeung, “Effective and
I
neffective
D
igital
W
atermarks,


in Proceedings of
ICIP
, (Santa Barbara, CA),
October

1997.

[3
] N. Memon and P. W. Wong, “Protecting
D
igital
M
edia
C
ontent: Watermarks for
C
opyrighting and
A
uthentication,


Communications of
ACM
, July 1998.

[4] P. W. Wong,

A Public Key Watermark for Image Verification and Authentication
,


in
Proceedings of the
IEEE International Conference
, 1998.

[5]

R. L. Rivest
, “The MD5 message digest algo
rithm.
” Internet RFC 1321, April

1992.

[6] R. L. Rivest, A. Shamir, and L. Adleman, “A

M
ethod for
O
btaining
D
igital
S
ignatures and
P
ublic
K
ey
C
ryptosystems,” Communications of the
ACM
, vol. 21, pp.
120
-
126, February 1978.

[7]
M. Naor and A. Shamir, “Visual cryptography”, Eurocrypt94, Lecture Notes in
Computer Science
, vol. 950, pp. 1
-
12, 1995.

[8] H. Luo and F. Yu,

Data

Hiding

in

Image

Size

Invariant

Visual Cryptography

,
3rd Internati
onal Conference on ICIC
,pp. 25
-
25,

20
08.

[
9]
R. Ito, H. Kuwakado and H. Tanka, “Image size invariant visual cryptography”,
IEICE Trans. Fundamentals
, E82
-
A, (10), pp. 2172
-
2177, 1999.

[10] W. Q. Yan, D. Jin, M. S. Kankanhalli,

V
isual

cryptography

for

print

and

scan

applications

,
ISCAS
, vol. 5, pp. 572
-
575
, 2004.