Visual Cryptography

Gamze Canova Technische Universit t Darmstadt a Fachbereich Informatik gamze.canova@gmail.com Johannes Born Technische Universit t Darmstadt a Fachbereich Informatik born.johannes@gmail.com

ABSTRACT

Traditional cryptographic schemes require end users to employ complex operations for encryption as well as decryption. An alternative to encrypt messages is visual cryptography, where the decryption is completely performed by the human visual system. This approach seems to be a very promising and user-friendly technique for security issues. In this paper we will examine the main idea of visual cryptography and present several applications using visual cryptography. Furthermore, we will discuss the usefulness for reaching the security objectives authenticity, integrity and condentiality and we will have a closer look at the usability aspects of the new approach in comparison to the traditional approaches aiming at security issues.
ACM Classication Keywords

They drew a map of the location the treasure was buried. To avoid any of the pirates taking the whole treasure for oneself, they disrupted the map into pieces and distributed these pieces to everybody of the team. Only if every single pirate provided his fragment of the map the treasure could be found. The mechanism of secret sharing cannot only be encountered in pirate stories, but also in James Bond-movies like GoldenEye, where two persons keys are needed to re the bomb. The disadvantage of traditional symmetric and asymmetric cryptographic schemes is that they require complex operational steps for the encryption as well as for the decryption of information. For average and inexperienced users these schemes are rarely convenient to employ. In 1994 Moni Naor and Adi Shamir combined the two mechanisms secret sharing and traditional cryptography [21]. They introduced a new concept named visual cryptography for the encryption and decryption of printed material such as images or texts. The new scheme requires no complex mathematical operations but only the human visual system for the deciphering of a given printed material. The concept relies on transparencies which exhibit a white noise when each transparency is considered seperately. The transparencies consist of randomly located white and black pixels. When stacking these transparencies together the secret message, e.g. an image or a text, is revealed. The decryption is executed by the human visual system and only the ownership of all transparencies can reveal the secret. Figure 1 illustrates the abstract work ow of encrypting and decrypting information by means of visual cryptography. The content to be protected is presented by the Technische Universit t Darmstadts Athene logo. The encryption of the sea cret information is employed by distributing the secret on e.g. two transparencies. Thereby, one transparency represents the key and the other represents the cipher with regard to traditional cryptography. To decrypt the cipher one merely has to stack the two transparencies together. As a result the secret Athene logo is revealed. In this paper we will explain the original approaches of visual cryptography rstly introduced by Naor and Shamir. Moreover, we will state some further developed concepts briey and present some applications that already apply to visual cryptography. Finally, visual cryptography will be analyzed with respect to its advantages and disadvantages regarding the usability and limitations followed by some con-

K.6.5 Security and Protection: Authentication; H.1.2 User/ Machine Systems: Human factors
INTRODUCTION

Cryptography includes a set of techniques to achieve condentiality (amongst others) when transmitting or storing data. Cryptography can be categorized into three different schemes: Symmetric cryptography, asymmetric cryptography and secret sharing. The traditional symmetric and asymmetric cryptography transforms a given message to a random looking string of characters with the aid of a secret (symmetric cryptography) or a public (asymmetric cryptography) key. The resulting so-called ciphertext is supposed to reveal no information on the plaintext. The decryption, hence the transforming of the cipher back to the plaintext, is employed by using the same (symmetric) or a different secret key (asymmetric). In contrast to symmetric and asymmetric cryptography secret sharing is based on the distribution of the secret information over several parties. Only if the required subset of parties put their information together the secret is revealed. When we think of old stories of pirates we remember the part when they returned from a raid and buried the treasure [16].

This paper was created as part of the Seminar Usable Security of the Department of Computer Science and Department of Psychology at TU Darmstadt. Copyright is held by the authors or respective owners.

Figure 2. Possible 2 out of 2-shares

Each share consists of 4 subpixels

2 out of 2

We start with introducing the 2 out of 2 scheme for visual cryptography to make the approach more comprehensible. In this case the secret message is distributed on two transparencies. Both transparencies are needed for the decryption process. Hereby, the rst transparency can be considered as the ciphertext and the second one can be considered as the secret key with respect to traditional cryptography schemes. It is important to mention that the rst transparency can be created randomly. Subsequently, the second transparency is constructed depending on both, the rst transparency and the secret message to be encrypted. A transparency consists of black and white pixels. Each pixel is subdivided into four subpixels, two black and two transparent (white) ones. Such a pixel, consisting of four subpixels is termed share. Figure 2 depicts the possible shares of a 2 2 pixel. When creating the two transparencies each pixel is considered separately. If a pixel of the secret message has to be white the corresponding pixel from the other transparency has to match exactly in order to be stacked together correctly, i.e. both pixels need to be identical, because black subpixels overwrite transparent ones. As a consequence the pixel combinations for the two transparencies depicted in Figure 3 are possible. As a pixel consists of two black and two white subpixels, we can never obtain a true white pixel, but only gray pixels representing the color white. That also explains the not disappearing white noise after the decryption of the secret message. In case a pixel has to be black in the resulting secret message two complementary shares have to be chosen, as illustrated in Figure 3. Considering the possible pixel combinations in order to obtain black or white pixels, obviously the following rules can be derived: To obtain a white pixel in the secret message choose identical pixel shares. To obtain a black pixel in the secret message choose complementary pixel shares. The concrete implementation of the scheme described above is realized as the following: Two 2 4 matrices C0 (repre-

Figure 1. Example for Visual Cryptography

cluding remarks.

MAIN IDEA

A main idea of visual cryptography is to practice secret sharing. Assuming a printed images pixel information is distributed on n transparencies the image can be decrypted if and only if all n transparencies are stacked together. That is to say, if these n transparencies are distributed to n parties, the transparency of each party has to be superimposed in order to decipher the secret message. Such schemes are referred to as n out of n schemes, because all n of n existing transparencies are required for the decryption process. A further possible approach is to generate a k out of n secret sharing scheme where at least k of n existing transparencies are required for the decryption, while k 1 transparencies will not provide any information on the secret message. The simplest mechanism is realized as a 2 out of 2 secret sharing scheme which will be introduced at rst for a better understanding in preparation of the more general approaches. The 2 out of 2 scheme means that the secret message is distributed on two transparencies and the decryption requires exactly these two transparencies. Subsequently, we will generalize the 2 out of 2 scheme and describe how to create an n out of n scheme, followed by the description of the k out of n scheme. Finally, we will refer to further extensions of visual cryptography.

n out of n

In this section we will generalize the 2 out of 2 approach to the n out of n scheme. In an n out of n scheme the secret message is distributed on n transparencies. In order to be able to decrypt the secret message all n transparencies have to be stacked together. In other words, superimposing l transparencies with l < n will not reveal any information on the secret. There exist two possible ways to construct an n out of n scheme: rst by using 2n , second by using 2n1 subpixels. Since Moni Naor and Adi Shamir proved in their paper Visual Cryptography [21] that the second construction is optimal for any n out of n scheme, we will focus on this approach. Each transparency consists again of pixels, while each pixel is representing either the color white or the color black. Every pixel, referred to as share, is subdivided into m subpixels which are black or white. The construction model for the n out of n scheme is the following: 1. The matrices S0 C0 and the matrices S1 C1 are of size n 2n1 . 2. All columns of S0 have an even number of 1s. C0 is created by all possible permutations of S0 s columns. 3. All columns of S1 have an odd number of 1s. C1 is created by all possible permutations of S1 s columns. Hereby, 0 denotes a white subpixel and 1 denotes a black one. The rules to obtain a white or a black pixel in the nal secret message are the same as stated in the previous section : To obtain a white pixel in the secret message choose an array from C0 . To obtain a black pixel in the secret message choose an array from C1 . This scheme is applied to every single pixel of the original pixel in order to obtain the nal transparencies. Furthermore, it is important to mention that the order of superimposing the transparencies is not relevant. In the following the k out of n scheme will be introduced where the secret is distributed on n transparencies again, but only k transparencies are necessary for the decryption of the secret message.
k out of n

Figure 3. Combinations for white (left) and black (right) pixels

senting the possible combinations for white shares as displayed in Figure 3) and C1 (representing the possible combinations for black shares as displayed in Figure 3) are to be created. An element Sij of one of these matrices describes the j th subpixel in the ith transparency. That means, row i of C represent one pixel of the ith transparency and column j describes the j th subpixel of the respective transparency. Hereby, 0 denotes a white subpixel and 1 denotes a black one.

C0 = C1 =

1010 1010 1010 0101

0101 0101 0101 1010

0011 0011 0011 1100

1100 1100 1100 0011

1001 1001 1001 0110

0110 0110 0110 1001

The exemplary scheme can be conveyed to the following rules regarding the matrices introduced above: To obtain a white pixel in the secret message choose an array from C0 . To obtain a black pixel in the secret message choose an array from C1 . The scheme described above is applied to every single pixel of the original image. Furthermore, it is important to mention that the order of superimposing the transparencies is not relevant. In the following the 2 out of 2 scheme will be generalized to the n out of n scheme where the secret is distributed on n transparencies and all n transparencies are necessary for the decryption of the secret message.

In this section we will have a closer look at a general model of the k out of n scheme with k n. In this case the secret message is distributed on n transparencies. In order to be able to decrypt the secret message at least k transparencies have to be stacked together. Superimposing l transparencies with l < k, will not uncover any information of the secret. In contrast to the n out of n scheme, not all n transparencies are required for the decryption in case k < n.

Each transparency consists again of pixels, while each pixel is representing either the color white or the color black. Every pixel, i.e. share, is subdivided into m subpixels, which are black or white. Let us introduce some more parameters. First, there is the Hamming Weight H(V ), where V is the result of the OR operation on each subpixel of the n transparencies. H(V ) is the number of 1s in the resulting sequence of bs, where b {0, 1} (0 denotes a white subpixel, 1 denotes a black subpixel), i.e. V = [b1 , ..., bn ]. An example is instanced in the following.
OR

H(V ) d H(V1 ) = 4 4 = d As a result the respective matrix is perceived as a black pixel. The nal condition points out that stacking together q < k transparencies will always show the same pattern of subpixels. This assures that no information on the secret can be uncovered unless at least k transparencies are superimposed. Important factors impairing the quality of visual cryptography schemes are in particular the contrast and the pixel expansion. As aforementioned each pixel is represented by several m subpixels. m is also referred to as the pixel expansion describing that the constructed transparencies become m times bigger than the original image to be encrypted. The contrast of a visual cryptography scheme is the ratio of white and black pixels. In the literature there is a lot of research on these two important quality properties [22, 5, 24, 17]. A further characteristic of visual cryptography is the perfect security [21]. To achieve this property the use of new transparencies for each secret message to be encrypted is assumed, otherwise information on the secret transparency key could be gained and, as a consequence, information on the plaintext can be obtained. On the one side, the perfect security is a promising and strong property. On the other side, this can lead to dangerous security gaps when visual cryptography is not applied reasonably. In the following we will state essential developments in the research area of visual cryptography.
Further Developments

1010 0101 , V1 =[1111]

OR

1100 1100 V2 =[1100]

where

1010 1100 C1 , C0 . 0101 1100

n

As a result we obtain H(V1 ) =

i=1

bi = 4 and H(V2 ) = 2.

Second, we dene a xed threshold d, with 1 d m and 1 nally the relative distance > 0, with = n . Formally, it can be summarized that a k out of n scheme is obtained if following requirements are satised, as pointed out in [21]: 1. For any S in C0 , the or V of any k of the n rows satises H(V ) d m. 2. For any S in C1 , the or V of any k of the n rows satises H(V ) d. 3. For any subset i1 , i2 , ...iq of 1, 2, ...n with q < k, the two collections of q m matrices Dt for t 0, 1 obtained by restricting each n m matrix Ct (where t = 0, 1) to rows i1 , i2 , ...iq are indistinguishable in the sense that they contain the same matrices with the same frequencies. The rst condition expresses the requirement matrices have to satisfy in order to be interpreted as white. Consequently, a pixel is interpreted as white if H(V ) d m is met. Let us further consider this requirement with respect to the example illustrated above in a 2 out of 2 scheme. For this purpose we introduce the following parameters: m = 4, = 1 2 , d = 4. Obviously, the rst requirement is satised by H(V2 ):

In this section we will briey state important developments in the area of visual cryptography. A drawback of the original schemes mentioned before is that a black pixel stays black, while a white pixel turns into gray. That means a loss of contrast can be observed. The two inventors of visual cryptography, Moni Naor and Adi Shamir, improved upon their initial 1994 design [21] in 1997 [22]. The main difference to their previous model is that there are three colors, e.g. red, yellow and a transparent color where red and yellow are opaque. In contrast to the original scheme, the order of the stacked transparencies is relevant. It is important to mention that the proposed scheme only refers to the 2 out of 2 scheme and each transparency now consists of c sheets. More information about the new design can be found in [22] and further analysis and improvements on the contrast of visual cryptography schemes are presented in [5, 24]. Stefan Droste did not focus on the improvement of the contrast, but introduced two other extensions to the original mechanism in [8]. First, he presents an improved new principle for the construction of a k out of n scheme. Furthermore, he extends the n out of n scheme to a mechanism with a new property. The original scheme only gives information

H(V ) d m H(V2 ) = 2 2 = 4 1 4 2

Consequently, the respective matrix is interpreted as a white pixel. The second condition expresses the requirement matrices have to meet in order to be perceived as black. A pixel is interpreted as black if H(V ) d is fullled. With respect to the example introduced above we obtain:

Another interesting point is that secret sharing is also researched in the area of audio [11, 9] where the secret is distributed on two audio les and will only be revealed by playing the audio les simultanously. The next section deals with application areas applying visual cryptography. We will briey introduce the applications employing visual cryptography and state some advantages and disadvantages regarding the usability of those.
VISUAL CRYPTOGRAPHY IN APPLICATIONS

Figure 4. Example for visual cryptography for natural images [19]

on the nal secret message when all required transparencies are stacked together. In his new scheme the possibility to obtain a picture/information by stacking together each combination of the n transparencies is offered. None of the appearing pictures reveals any information on the nal secret message, which is only decipherable by superimposing all n transparencies. Other extensions are proposed in [2, 3, 4] where a generalization of visual cryptography to general access structures is proposed. An access structure can be described as a tuple (Pq , Pf ) where the subset Pq of n participants represents participants in the secret sharing system who are qualied/allowed to access the secret message and Pf represents a subset of participants of all n participants who are not allowed to access the secret message. When stacking together transparencies from participants Xi Pq the secret message is uncovered, whereas when putting together transparencies from participants Xi Pf the secret message cannot be revealed. In contrast to the general access scheme, the original k out of n or n out of n scheme utilized a so-called threshold access structure. This means any set of k or n transparencies will reveal the secret information and not a specied subset of those. Many researchers also deal with colored visual cryptography [15, 7, 18]. A special and interesting version of the colororiented researches is the extended visual cryptography for natural images [19]. The main idea in this scheme is to hide a secret natural image behind other natural images instead of behind images that exhibit a white noise. As one can see in Figure 4 one has to input three pictures into the encryption system. One of them is the secret while the other pictures are used as the transparencies, which provide no information on the secret when they are considered separately. After encryption, one decrypts the secret by superimposing the two natural images. In summary, we can observe that the current research on visual cryptography is focused on analyzing and improving the contrast of visual cryptography schemes and on extending the scheme from threshold access structures to general access structures. Furthermore, efforts on the development of colored visual cryptography can be recognized [15, 7, 18].

Visual cryptography can be encountered in several application areas, especially in applications aiming at condentiality by means of cryptography. Exemplary application areas are key management and message secrecy [23]. Furthermore, visual cryptography can be used to transfer military images which have to be kept secret. Moreover, visual cryptography seems to provide an attractive and promising alternative for means of authentication replacing authentication methods such as traditional passwords. The security objective authentication as well as identication can be reached with e.g. watermarking [14] based on visual cryptography. Furthermore, visual cryptography is used in the nancial software named VCRYPT [13] and an application for electronic voting [6] which was introduced by Chaum. Visual cryptography can also be used in remote electronic voting applications [10] for means of authentication. For online banking applications VTANs based on visual cryptography [12] are proposed as an alternative to the traditional one-time passwords TANs. In this section we will describe some possible applications regarding the usage of visual cryptography. Additionally, essential advantages and disadvantages regarding the usability will be stated.
Authentication and Data Integrity Verication

Naor and Pinkas introduced protocols for authentication and verifying the integrity of data with human interaction and low priced technology. In 1997 they brought out a paper which described several protocols based on visual cryptography [20]. The main focus is the security of these protocols but also the human as a part of the system. The user does not need to have security skills in these protocols.
VCRYPT - Encryption of Financial Documents

VCRYPT is a simple and fast visual cryptography technique, introduced in [13]. It can be used for transmitting nancial documents via the Internet from ofce to ofce, if a adequate degree of security is required. In contrast to the original visual cryptography systems, VCRYPT can restore the document in the original image quality. The main procedure is the following: One has a document in due form like a bit map le to send to the recipient. The sender uses VCRYPT to split the document into shares. These shares can be transmitted e.g. via email or ftp. The recipient only needs a subset of the shares and the decoding software to recover the original document. Due to the dif-

culty of modifying the nal decrypted document the authentication of this document is secured (because all shares are sent separately, i.e. an adversary will only be able to view a white noise and cannot change the message selectively). The security level can be increased if one sends the emails to several recipients, each email with one transparency as attachment. VCRYPT uses the k out of n scheme for this purpose. The advantage of this scheme is that if one transparency gets lost or is intercepted the document can still be recovered. At the same time the intercepted transparency does not provide any information on the plaintext. Particularly, none of the receivers can change a bit of the message without destroying the entire plaintext. Moreover, it is important to mention that even if one of the receivers is an attacker he cannot decrypt the message on his own. He needs at least the other k 1 transparencies which have been sent to other parties. The biggest problem of using visual cryptography in text documents is the graying effect. Black pixels of the original are black after encoding, but white pixels become gray. This effect makes visually encrypted text documents difcult to read after decoding. Furthermore, splitting pixels into m subpixels enlarges the image size. VCRYPT resolves these drawbacks. All needed transparencies have to be imported in VCRYPT. The software replaces every gray pixel by a white one and every black pixel by a black one, each in the original size. After this the original image is restored. Summarized the author mentioned three advantages of VCRYPT: 1. There is no need for complex algorithms. 2. A simple software can be used. 3. The software restores the original image. A drawback of this technique is the increasing storage costs. But this drawback becomes insignicant as the costs of memory and disks decrease.
Electronic Voting System
Figure 6. Voter after encoding the passwort [10].

Figure 5. Voter before decoding passwort [10].

Remote Electronic Voting

Chaum creates a new system for voters to ensure them their vote was counted correctly based on the 2 out of 2 visual cryptography system. Each voter obtains a transparency from a trusted party. When the elector casts his vote at a terminal he can print his vote as a ciphertext on a piece of paper. With his transparency he can decrypt his vote by stacking together the printed sheet of paper and the transparency. After the elector has validated his vote he yields the piece of paper to the poll worker who subsequently destroys it. Now the transparency gives no point on the secret. At home, the voter can again verify if his vote was counted correctly by visiting a specic website and getting his encrypted vote by entering a serial number. With the aid of the transparency he can decrypt the message on the monitor. If the decrypted message equals his vote the elector is assured that his vote was counted correctly [6].

The remote electronic voting system works in the same manner as the electronic voting system with the difference that the voter can cast his vote from his computer at home. The visual cryptography system is used to authenticate both, the voter and the system mutually. First the voter has to visit the voting website. There he is asked to enter a 12 characters long serial number containing digits and characters. The website presents a password to the user encrypted by means of visual cryptography. By superimposing the transparency over the monitor, the voter can decrypt the password and enter it on the website. After the succeeded authentication process he can cast his vote to the system [10]. As one can see in Figure 5 [10] the user receives a picture with random looking black an white pixels on the monitor from the trusted party, here from the voting system. He has to superimpose his own transparency over the picture on the monitor, shown in Figure 6. After superimposing the transparency over the monitor, the secret code is deciphered and the user can enter his password in order to authenticate himself.
Image Watermarking

A new approach on image watermarking using visual cryptography is introduced in [14]. The watermark is distributed over two shares. One is embedded into the covert image, the

other is kept as a secret key for validating the integrity of the image. To extract the watermark one simply has to superimpose the key share over the covert image. According to Hous and Chens paper, this technique seems to be robust against attacks [14]. The authors highlighted three points where visual cryptography is benecial to traditional image watermarking. 1. The watermark embedding is simpler than e.g. employing the Fourier Transform. 2. Extracting the watermark is easy because one only has to superimpose the key transparency over the watermarked image and verify by means of his human visual system. 3. Changing or removing the watermark is difcult because of the random patterns and the secret sharing behavior of visual cryptography. An example for visual cryptography utilized in image watermarking can be viewed in Figure 7.

because the system is supposed to verify if the requesting subscriber station is qualied for the request. At the same time the system must authenticate itself, too. During the authentication process the base station and subscriber station exchange their secret shares. The authentication only succeeds if the secret can be revealed on each side. After a successful authentication the system process proceeds in the normal manner. In the following we will elaborate on the usability of visual cryptography. We will state general advantages and disadvantages of the novel scheme. Furthermore, we will concentrate on the benets of visually encrypting secret messages compared to traditional mechanisms to assure the security objectives authenticity, integrity and condentiality. Finally, we will discuss the applicability of visual cryptography as an alternative to login-password-authentication schemes.
USABILITY

In this section we will discuss the usability aspects of visual cryptography. Due to the lack of usability studies we will mainly introduce our own opinion. At rst we will discuss general advantages and disadvantages regarding the usability of visual cryptography. Next, we will specialize our analysis and further consider the usability aspects compared to traditional mechanisms to assure the security objectives authenticity, integrity and condentiality. In this context, integrity and authenticity can be assured with the same mechanisms. Finally, we will discuss the applicability of visual cryptography as an alternative to login-passwordauthentication schemes.
General Advantages

Figure 7. Picture without (left) and with (right) superimposing key transparency [14].

Online Banking via VTANs

In the past more and more attacks against online banking were observed. While banking institutions keep an eye on advanced security, most of the costumers do not have this knowledge or the options to secure themselves against these attacks. For better security results VTANs were introduced. An approach utilizing VTANs was presented in [12]. VTANs are like TANS, but they are visual cryptography encoded shares on transparencies. To guarantee the integrity within a transaction, the banking institute sends the corresponding share as an image to the computer of the costumer. The costumer is asked to superimpose the adequate transparency over the sent image on his monitor. Now the costumer is able to read the plaintext.
Mobile WiMAX - Authentication

An essential advantage of visual cryptography is that there is no need for any previous knowledge or experience in the eld of cryptography in order to apply it. The technical details, shown previously are totally irrelevant for the end user. The only thing he has to be able to do is superimposing two or more transparencies. Especially, for usability aspects this point is a huge benet. While most security mechanisms require a certain level of comprehension and experience for the application of complex operations in order to encrypt or decrypt a condential subject, visual cryptography offers the possibility to be used by anyone. The decryption is only performed with the aid of the human visual system.
General Disadvantages

As it is easy to use, visual cryptography also exhibits some disadvantages regarding usability aspects. The quality of the original image or text to encrypt decreases immensely while decryption, as the loss of resolution is inevitable. As a consequence the usage of too small fonts for the encryption of texts or images with many signicant details is not appropriate for visual cryptography. Furthermore, the decrypted image or text is not true to original. As a second disadvantage the transportation of the transparencies has to be mentioned. Imagine a person has a few accounts, e.g. in banks or postal ofces. Each of these companies

Worldwide Interoperability for Microwave Access (WiMAX) is a Wireless Metropolitan Area Network (WMAN) standard. Requests sent to the base station have to be checked for means of authentication in a time consuming process. This is why WiMAX is vulnerable to Denial of Service (DoS) attacks. With the intention to avoid such malevolent overloads resulting in DoS a new pre-authentication scheme based on 2 out of 2 visual cryptography providing mutual authentication is presented in [1]. The scheme is termed pre-authentication

uses visual cryptography for means of customer identication. First, in order to identify himself via visual cryptography the person always has to take the required transparencies with him. More important, these transparencies have to be organized by the person in a reasonable manner because they are visually indistinguishable from each other. A possibility to nd out which transparency is the correct one is to try all of the transparencies until the correct transparency is used. This method is not very user-friendly. An alternative could be to write on every transparency to which company and account it belongs to, but by doing this the security would be decreased since information (e.g. company name, account number etc.) on the secret content would be disclosed. The next point regards the perfect security of visual cryptography, which exhibits the same characteristics of a OneTime-Pad [21], also termed OTP. As long as a One Time Pad key is used for only one message, it is perfectly secure. If one uses the same key for different messages the adversary can gain information about that key and consequently about the plaintext. The same characteristic applies to visual cryptography. As long as every distinct message is encrypted with a different key, i.e. a distinct transparency, the scheme is perfectly secure. Regarding the usability this issue is a drawback. Referring to the example mentioned above, one has to generate and print new transparencies each time he wants to authenticate himself for each account and company. This is not only time-consuming and extensive, but it is also costly. To complete the disadvantages there are two other points to discuss. The rst one concerns the robustness of the transparencies. The other one concerns the problem for people, who are handicapped. To decrypt a cipher one needs the corresponding undamaged transparency. Due to the fact that the transparencies always have to be transported with the owner the probability to easily damage these transparencies is high. Potential damages include incidentally crumpling the transparencies or aking of the printed pixels. That leads to the need for new transparencies, as the damaged ones cannot be used for decryption anymore and have to be changed. Again this is not userfriendly. Visually restricted people can hardly if at all apply to visual cryptography because the decryption part is based on the human visual system which is limited for these handicapped people.
Usability Advantages Regarding Security Objectives

metric cryptography. In some cases the conguration of this mechanism is hard to understand, even for experienced people with some security background knowledge. In these cases inexperienced users are totally lost. Those users do not know the correct settings to achieve an optimal security level. Some of them might even think that the particular system secures the environment in the background without having to congure anything. Even if the securing process runs in the background some users might not trust the system. This applies especially to critical systems like electronic voting or online banking. Visual cryptography solves these types of problems. First, even inexperienced users are able to apply it. Second, the user himself has to act in order to secure the system and obtains a feeling of control which increases his trust in the system. Due to these reasons the usability can be increased by means of visual cryptography.
Condentiality

Condentiality can be achieved amongst others with encryption. There exist several tools to encrypt les, folders and devices. These tools usually require a password to encrypt the data. With more experience, one can generate a key and store it on a mobile device like a ash drive, so that one only has to plug the USB ash drive into the computer and can decrypt all encrypted data with the stored keys. In the rst case, one could forget the password and, as a result, would not be able to access the encrypted le. In the second case, one has to have some experience with the mechanisms to congure and generate these keys. Visual cryptography can help to encrypt and decrypt data like texts or pictures in a more usable manner. Other things like devices, folders etc. cannot be encrypted by means of visual cryptography. Considering the benets of visual cryptography to assure the security objectives mentioned above we imply that replacing the traditional application of login-password-authentication entirely by visual cryptography might be reasonable. In the next part, we will analyze the applicability of visual cryptography to general login authentication schemes.
Discussion - Applicability of Visual Cryptography instead of Login-Password-Authentication

In the following we will briey state the problematic aspects of traditional applications to ensure the security objectives integrity, authenticity and condentiality. Furthermore, we will describe how these aspects could be improved with the aid of visual cryptography.
Integrity/Authenticity

Integrity and authenticity can be achieved amongst others with digital signatures. Digital signatures are based on asym-

The security of login-password-authentication schemes is highly dependent on the security of the used passwords. In order to obtain an optimal security level each account should be secured with a unique password satisfying certain requirements (e.g. at least eight characters long, the password has to contain numbers, characters and special characters). In particular, the password should not be vulnerable to dictionary attacks. That is to say random looking passwords are desirable. These requirements raise a huge problem regarding the usability and security. Most people choose the convenient, but less secure way. They pick passwords they can easily keep in mind. Especially, passwords containing family names, birthdays or simple keyboard combination as 1234 or qwertz are popular. Particularly, these types of passwords are extremely vulnerable. In addition, most users use the same password for different applications or accounts, which again radically decreases the security level of the used systems. On the other side, when using different random

looking passwords for each application one has to note them down, because keeping in mind each single password is not possible for average users if those passwords are not used continuously. A more convenient alternative to this scheme might be visual cryptography. In the context of visual cryptography the user who wants to authenticate himself to a counterparty like banks, e-voting systems or applications of the computer receives a cipher from the counterparty. The user can decrypt the cipher with the respective key transparency and then enter the decrypted text into a provided password eld and submit it. A successful verication of the password includes the mutual authentication of the parties. This solution raises a similar disadvantage as the traditional loginpassword-authentication scheme: A user must not write on a transparency to which application it belongs to. That is, information like login names also are not to be written on the transparencies in order not to decrease the security. Obviously, here we have a security lack, too. As no one will be able to distinguish random looking transparencies they will have somehow to note which transparency belongs to which account or application. This problem is comparable to the problem of login-password-authentication schemes of writing down passwords. A further important point is the perfect security requirement of visual cryptography. Due to the similarity of visual cryptography to the One-Time-Pad regarding the security, it is inevitable that for each authentication process new transparencies are created. That is to say, if some different plaintexts are encrypted with the same key transparency the attacker can draw conclusions on the key and consequently on the plaintext. Hence, visual cryptography exhibits the character of a one-time-password like TANs. Key transparencies have to be printed by the user or the counterparty, which increases the costs and decreases the usability. If for reasons of convenience the same transparencies are used multiple times the security will be endangered. Obviously, visual cryptography cannot completely eliminate the gap between usability and security. Even when applying visual cryptography the security aspect is somehow impaired in a negative way. In the next section essential concluding remarks regarding visual cryptography will follow.
CONCLUDING REMARKS

provide additional concluding remarks. Regarding the technical implementation of visual cryptography schemes, it is important to point out that the implementation, e.g. the encryption of a secret message by means of visual cryptography schemes is not as trivial as the decryption of it. While the encryption requires technical knowledge and experience in implementation issues the deciphering of the secret message requires no special skills, neither in the area of security applications nor in other elds. The only thing the user has to be able to do is superimposing several transparencies, which is an immense advantage compared to other security applications, as encrypting emails or other objects, where complex and confusing operational steps have to be taken for e.g. the conguration of the systems. The gulf between security and usability is a problem experts have been trying to resolve for many years. The central issue usable security always brings with it is that the occurrence of conicts between the usability and security aspects of applications are most times inevitable. Indeed, it is a fact that in many applications the security is decreased in order to increase the usability of the system, as no average user would be able to deal with security applications requiring extensive knowledge and experience in this area (they would most likely use programs without these challenging security options instead or just ignore the provided options). Regarding this aspect visual cryptography seems to be a promising approach to resolve the gap between security and usability. This is also emphasized by the wide spectrum of applications visual cryptography is utilized. The areas visual cryptography is applied reach from encrypted transaction of nancial documents to ensuring condentiality and integrity over evoting and remote e-voting to systems assuring authenticity and verifying the own vote to watermarking for integrity verication and authentication issues we briey introduced in this paper. Due to the lack of usability studies, we mainly stated our own impression and opinion regarding usability aspects. Considering the applications utilizing visual cryptography, one can observe that applying visual cryptography in several areas is denitely usable and reasonable as it requires no expert knowledge on security issues which in turn offers a huge chance for acceptance in public. Nevertheless, one has to face the discussed drawbacks (cf. Section General Disadvantages), but regarding the traditional security schemes and the essential benet visual cryptography brings with it, they are negligible in our point of view. We are convinced that visual cryptography is very reasonable particularly in application areas with which the user is not confronted in everyday life. These applications might e.g. be (remote) e-voting and digital watermarking by means of visual cryptography. Due to the similarity of VTANs to the traditional well-known TANs we also rmly believe that visual cryptography can be established as a standard scheme for these purposes. As visual cryptography is much more user-friendly and intuitive for the user than the traditional login and password schemes this approach should denitely

In this paper we introduced the new concept of visual cryptography, which basically combines secret sharing with traditional cryptography and aims at the advancement of usability aspects for average users who are not security experts. An outstanding characteristic of visual cryptography providing a pre-eminent benet compared to other security schemes is that the encryption of visually encrypted material is achieved solely by the human visual system. We rst presented the technical realization of various visual cryptography schemes like the 2 out of 2, n out of n and the k out of n scheme. Next, we introduced several applications utilizing visual cryptography and nally we analyzed the usability aspects of visual cryptography. In the following we will

be further researched and also established as a standard in applications relying on authentication schemes. On the other side, we do not feel condent that visual cryptography will be able to replace all security (authentication, condentiality, etc.) mechanisms entirely. However, it might extend such schemes in order to achieve a higher security level. In our opinion visual cryptography will not be able to become accepted in applications used in everyday life as it brings too many inconvenient aspects with it, such as the printing of new transparencies after every login or the need for special printing equipments. All in all, we are thoroughly convinced that visual cryptography should be further developed and especially be established in application areas that require high security levels and that are not used in everyday life.
REFERENCES

11. N. Fujita, R. Nishimura, and Y. Suzuki. Audio secret sharing for 1-bit audio. Acoustical Science and Technology, 27(3):171173, 2006. 12. U. Greveler. VTANs-Eine Anwendung visueller Kryptographie in der Online-Sicherheit. Kryptologie in Theorie und Praxis, 2007. 13. L. Hawkes, A. Yasinsac, and C. Cline. An Application of Visual Cryptography to Financial Documents. Security and Assurance in Information Technology Laboratory Computer Science Department Florida State University, 2000. 14. Y. Hou and P. Chen. An asymmetric watermarking scheme based on visual cryptography. In Signal Processing Proceedings, 2000. WCCC-ICSP 2000. 5th International Conference on, volume 2, pages 992995. IEEE, 2002. 15. A. Klein. Farbige visuelle Kryptographie. GhK, Fachbereich Mathematik/Informatik, 2001. 16. A. Klein. Visuelle Kryptographie. Springer, 2007. 17. T. Lin, N. Shiao, H. Chen, and C. Tsai. A new non-expansion visual cryptography scheme with high quality of recovered image. In Frontier Computing. Theory, Technologies and Applications, 2010 IET International Conference on, pages 258263. IET. 18. R. Lukac, K. Plataniotis, B. Smolka, and A. Venetsanopoulos. A new approach to color image secret sharing. In EUSIPCO. Conference, 2004. 19. M. Nakajima and Y. Yamaguchi. Extended visual cryptography for natural images. Journal of WSCG, 10(2):303310, 2002. 20. M. Naor and B. Pinkas. Visual authentication and identication. In Advances in Cryptology-CRYPTO97: 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1997. Proceedings, page 322. Springer, 1997. 21. M. Naor and A. Shamir. Visual cryptography. In Advances in Cryptology-EUROCRYPT94, page 1. Springer, 1995. 22. M. Naor and A. Shamir. Visual cryptography II: Improving the contrast via the cover base. In Security Protocols, pages 197202. Springer, 1997. 23. T. Yue and S. Chiang. A neural network approach for visual cryptography. In Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks, 2000. IJCNN 2000, pages 494499, 2000. 24. H. Zhang, X. Wang, and Y. Huang. General construction for ideal contrast visual secret sharing scheme with reversing. Proceedings of Information Technology and Environmental System Sciences, 4:212216, 2008.

1. A. Altaf, R. Sirhindi, and A. Ahmed. A Novel Approach against DoS Attacks in WiMAX Authentication Using Visual Cryptography. In Emerging Security Information, Systems and Technologies, 2008. SECURWARE08. Second International Conference on, pages 238242. IEEE, 2008. 2. G. Ateniese, C. Blundo, A. De Santis, and D. Stinson. Constructions and bounds for visual cryptography. Automata, Languages and Programming, pages 416428, 1996. 3. G. Ateniese, C. Blundo, A. De Santis, and D. Stinson. Visual Cryptography for General Access Structures* 1. Information and Computation, 129(2):86106, 1996. 4. G. Ateniese, C. Blundo, A. De Santis, and D. Stinson. Extended schemes for visual cryptography. Theoretical Computer Science, 250(1-2):143161, 2001. 5. C. Blundo, A. De Santis, and D. Stinson. On the contrast in visual cryptography schemes. Journal of Cryptology, 12(4):261289, 1999. 6. D. Chaum. Secret-ballot receipts and transparent integrity. IEEE Security & Privacy, 2(1):3847, 2004. 7. S. Cimato, R. De Prisco, and A. De Santis. Colored visual cryptography without color darkening. Theoretical Computer Science, 374(1-3):261276, 2007. 8. S. Droste. New results on visual cryptography. In Advances in CryptologyCRYPTO96, pages 401415. Springer, 1996. 9. M. Ehdaie, T. Eghlidos, and M. Aref. A novel secret sharing scheme from audio perspective. In Telecommunications, 2008. IST 2008. International Symposium on, pages 1318. IEEE, 2008. 10. N. Evans, A. Rubin, and D. Wallach. Authentication for Remote Voting. In Workshop on Human-Computer Interaction and Security Systems, 2003.