Image sharing without data overhead

Question

The idea is to share $n$ images among $n$ persons so that all images can be reconstructed by someone in possession of all shares.

However, there must not be any data overhead (which means the shares sent to the persons must not be bigger in size than the original images. In other terms: No data overhead).

The idea is to encode two images $A$ and $B$ like this:

$$Q = A + B + Secret\\ U = A - B + Secret$$

which allows for reconstruction of $B$ through

$$Q - U = A + B + Secret - A + B - Secret = 2B\\ B = (Q - U) / 2$$

after that $A$ can be reconstructed by

$$A = Q - B - Secret$$

$Secret$ is required because simply doing $A + B$ or $A - B$ visually leaks information about the images to the other persons. The trick is to calculate the secret through the image $B$. (For example by calculating a hash of B and then feed it to a PRNG and then use this PRNG to generate the secret numbers you add to each pixel (ask for a new number for every pixel)).

In Pseudo-Code:

seed = hash(B);
r = Random(seed);
for (x,y) to (WIDTH, HEIGHT):
  secret = r.nextInt(255);
  Q[x,y] = A[x,y] + B[x,y] + secret;
  U[x,y] = A[x,y] - B[x,y] + secret;

Arithmetic is $\mod(M)$ of course, where $M$ is a reasonable odd modulus for the required color depth etc. This method can be extended to more than two images. The odd modulus is what allows one to reconstruct the result uniquely.

The question now is: what fatal security flaws does this method have, if any?

Answer 1

A Flaw

If you try working through your example concretely then you should see at least one issue with decoding. Consider values mod $8$:

$ A = { 3 } \\ B = {7} \\ secret = {5 } $

Using your equations we have:

$ Q = 3 + 7 + 5 = 7 \\ U = 3 - 7 + 5 = 1 $

And for decoding:

$ B = (U - Q) / 2 \\ B = (1 - 7) / 2 \\ B = -6 / 2 ({\text mod} 8) $

But what is $\frac{-6}{2}$ modulo 8? How do we get a unique answer here?

Alternatives

Your constraints are a little unclear, but if you're OK with storing $(1 + {\text nrImages})*|{\text image}|$ (A, B, and secret) then use linear integer secret sharing in a traditional manner (below). Obviously this is a little silly seeing as you could use any symmetric encryption algorithm, given that you have a secret.

If you only want to store ${\text nrImages}|image|$ data, and not the secret, then that is harder as you'll have to derive the secret from the combined shares. For example we could have a small feistel network:

$ Q0 = A + PRF(B) \\ U = B + PRF(Q0) \\ Q = Q0 + PRF(U) $

Now $U$ and $Q$ are your secrets, protected ONLY by the entropy of A and B and the strength of your PRF. The entropy in the images could actually be increased without visually altering the typical image.

To decrypt:

$ Q0 = Q - PRF(U) \\ B = U - PRF(Q0) \\ A = Q0 - PRF(B) $

Basic application of LISS

For LISS just generate a random secret, $s$, and compute:

$ Q = A + B + S \\ U = B + S $

Then, once the shares and the secrets are collected, you can reverse the process via:

$ A = Q - U \\ B = U - S $