Content uploaded by Yang-Wai Chow
Author content
All content in this area was uploaded by Yang-Wai Chow on Dec 05, 2017
Content may be subject to copyright.
Exploiting the Error Correction Mechanism in
QR Codes for Secret Sharing
Yang-Wai Chow1, Willy Susilo1, Guomin Yang1, James G. Phillips2, Ilung
Pranata3and Ari Moesriami Barmawi4
1Centre for Computer and Information Security Research, School of Computing and
Information Technology, University of Wollongong, Australia
{caseyc, wsusilo, gyang}@uow.edu.au,
2Department of Psychology, Auckland University of Technology, New Zealand
jphillip@aut.ac.nz,
3School of Design, Communication and Information Technology, University of
Newcastle, Australia
ilung.pranata@newcastle.edu.au,
4School of Computing, Telkom University, Indonesia
mbarmawi@melsa.net.id
Abstract. This paper investigates a novel approach to secret sharing
using QR codes. The proposed QR code secret sharing approach ex-
ploits the error correction mechanism inherent in the QR code structure,
to distribute and encode information about a secret message in a num-
ber of shares. Each share in the scheme is constructed from a cover QR
code, and each share itself is a valid QR code which can be scanned and
decoded by a QR code reader. The secret message can be recovered by
combining the information contained in the QR code shares. Since each
share is a valid QR code, the proposed scheme has the advantage of re-
ducing the likelihood of attracting the attention of potential attackers. In
addition, the shares can be distributed via public channels without rais-
ing suspicion. Moreover, shares do not have to be stored or transmitted
electronically, as QR codes can be distributed via printed media.
Keywords: Error correction, QR code, secret sharing
1 Introduction
A secret sharing scheme refers to a method by which a dealer encodes a secret
into a number of shares and distributes these shares to a group of participants.
Individually, the shares reveal no information about the secret. The secret can
only be reconstructed when information from an authorized number of shares is
combined [2]. By splitting and encoding a secret into a number of shares, secret
sharing overcomes the problem of storing a secret in a single information-carrier,
which can easily be lost or damaged [19, 21]. Secret sharing schemes are impor-
tant tools that have found many applications in cryptography and distributed
computing [2]. In addition, secret sharing is also regarded as a mechanism that
2 Y.W. Chow et al.
can be used to transfer secret information via public channels in cryptography
[25]. This paper investigates a novel approach to secret sharing by distributing
and encoding a secret into a set of Quick Response (QR) codes.
The concept of secret sharing was first introduced independently by Blakley
[3] and Shamir [18]. The secret sharing schemes that they proposed are known
as k-out-of-n, or (k,n), threshold schemes. In a (k,n) secret sharing scheme, a
secret is divided into nshares, where n>1, and k, or more, shares are required to
reconstruct the secret. Even complete knowledge of any k−1, or fewer, shares will
reveal no information about the secret. Since its inception, many different secret
sharing schemes have been proposed [1, 2, 8, 7, 16, 17, 19–22, 25]. Some schemes
require complex numerical computation, whilst others require little or no com-
putation [21]. Of the varying approaches, image sharing can be seen as a subset
of the general secret sharing problem as the secret is a concealed image [22]. One
of the popular ways of secret image sharing is known as visual cryptography [17].
Visual cryptography is a method of encoding and distributing a binary image
into a number of shares, each to be printed on separate transparencies. When
the qualified number of shares are stacked together, the human visual system
can recover the secret image without the need for any computation.
Each share in visual cryptography looks like a random pattern of pixels. In
an extension to visual cryptography, known as extended visual cryptography,
each share is encoded using a meaningful cover image [1]. This means that when
viewed individually, a meaningful, albeit noisy, image is visible on each share.
The advantage of encoding the secret image into shares containing ‘innocent-
looking’ meaningful cover images is that it reduces the likelihood of attracting
the attention of attackers [20].
While the advantage of these visual secret sharing schemes is that decryption
can be performed by the human visual system without any computation, these
approaches suffer from a number of problems, including pixel expansion, contrast
issues, share misalignment and the visual quality of the reconstructed image [4,
8, 16, 26]. Secret image sharing techniques have also been proposed to share and
hide a secret image by distributing and embedding the information required to
reconstruct the secret image in a number of digital images, each of which is
a meaningful cover image [19]. However, these techniques hide information in
digital images. Therefore, decryption must be performed on the digital image
shares, which necessitates that the shares must be distributed via electronic
means.
Our Contribution. This paper introduces a novel approach to secret sharing
by distributing and encoding a secret message into a number of QR code shares.
The proposed approach exploits QR code error correction redundancy, which is
an inherent feature of the QR code structure. The advantage of this approach is
that each share is a meaningful QR code, which individually does not reveal the
secret message. The secret message can be recovered by combining the informa-
tion contained in the QR code shares. Since each QR code share can be scanned
and decoded by any standard QR code reader, this means that the shares can be
QR Code Secret Sharing 3
distributed via public channels without raising suspicion. In addition, since QR
codes are meant to be scanned by a QR code reader, the shares do not have to
be stored or transmitted electronically and can be distributed via printed media.
Furthermore, the shares can be constructed using any artistic QR code method
as long as it can be scanned and read. Therefore, each QR code share can be
constructed using a different artistic QR code scheme in order to increase the
secret sharing subterfuge by reducing the likelihood of attracting the attention
of potential attackers.
2 Related Work
The QR code is a two-dimensional code that was invented by the company Denso
Wave [10]. In recent years, QR codes have seen widespread adoption due to its
convenience and ease of use, as any smartphone equipped with a camera and
QR code reader can retrieve the information encoded within a QR code. The
application of the QR code in the area of information security has previously been
proposed for a number of different purposes. For example, QR codes have been
used for authenticating visual cryptography shares [23], e-voting authentication
[11] and for digital watermarking [14].
QR codes have also been used in the area of data hiding and steganography.
Among the work conducted in this area, Wu et al. [24] proposed a data embed-
ding approach for hiding a QR code in a digital image. Their purpose was to
camouflage the appearance of a QR code in an image so as not to degrade the
visual quality of the picture. Huang et al. [12] developed a reversible data hiding
approach for images with QR codes. The purpose of their method was to avoid
a QR code from degrading the quality of the image or concealing information
contained in the image. In their approach, using reversible data hiding a portion
of an image is hidden in the rest of the image. This portion is replaced with
a QR code. Once the QR code has been scanned, it will be removed from the
image and the original image will be restored using the data that was previously
hidden in the rest of the image. A nested image steganography scheme was pro-
posed by Chen and Wang [6] using QR codes. In their approach, two types of
secret data, in the form of text (lossless) and image (lossy), are embedded into a
cover image. The text portion of the secret data is embedded using a QR code.
A similar approach was also reported in Chung et al. [9].
Unlike approaches that first convert a secret into a QR code before embed-
ding it into a cover image, Lin et al. [15] introduced a scheme for concealing
secret data in a cover QR code. Their approach capitalizes on the error correc-
tion property of a QR code in order to conceal secret data. The amount of secret
data that can be concealed depends on the QR code version and error correction
level that is used. Bui et al. [5] also investigated the problem of hiding secret
information in a QR code. They argue that previous approaches to embedding
secret messages in QR codes use bit embedding which is vulnerable to modifica-
tion attacks. Consequently, they propose a method of using Reed-Solomon code
and list decoding to hide a secret message in a QR code.
4 Y.W. Chow et al.
3 Background
The International Organization for Standardization (ISO) has established a stan-
dard for the QR code (ISO/IEC18004) [13]. This section outlines the basic QR
code structure and error correction feature as defined by the ISO standard.1
3.1 The QR Code Structure
A QR code symbol is constructed as a two-dimensional array of light and dark
squares, referred to as modules. There are forty sizes of QR code symbol versions
ranging from version 1 to version 40. Each QR code symbol version is comprised
of a different number of modules, and as such different QR code versions give rise
to different data capacities. Version 1 is made up of 21×21 modules, and each
successive version increases by 4 additional modules per side, up to version 40
which is made up of 177×177 modules. The appropriate version to use depends on
the amount and the type of data (alphanumeric, binary, Kanji or a combination
of these) to be encoded as well as the error correction level. The error correction
level will be described in Section 3.2 to follow.
The QR code structure consists of encoding regions and function patterns
[13]. An example of the encoding regions and function patterns for a QR code
version 7 symbol is illustrated in Fig. 1. As can be seen from the figure, a
QR code symbol is surrounded by an empty region known as the quiet zone,
which should have the same reflectance value as the light modules. Function
patterns do not encode data, they consist of the finder patterns, separators,
timing patterns and alignment patterns. There are three identical finder patterns
located at each corner, except the bottom right corner, of the symbol. These
are used by a QR code reader to recognize the QR code and to determine the
rotational orientation of the symbol. The separators are one module wide, and
are constructed from light modules to separate the finder patterns from the
encoding region. Timing patterns are alternating light and dark modules used
to determine module coordinates in the symbol. Alignment patterns allow QR
code readers to compensate for image distortion. Different QR code versions
have a different number of alignment patterns.
3.2 Encoding and Error Correction
The encoding region consists of data codewords and error correction codewords,
format information and version information (version information is only used in
QR code version 7 and above). Message data is encoded as a bit stream which
is divided into a sequence of codewords. All codewords are 8-bits in length.
The codewords are divided into a number of error correction blocks, based on
the QR code version and error correction level, and an appropriate number of
error correction codewords are generated for each block. Error correction allows
1For a comprehensive description of the QR code structure and error correction mech-
anism, please refer to the ISO standard (ISO/IEC18004) [13].
QR Code Secret Sharing 5
Fig. 1. QR code version 7 structure.
correct decoding of the message in the event that part of the symbol is dirty or
damaged. This error correction feature has also been exploited to embed art or
other information in QR code symbols.
The QR code employs Reed-Solomon error control coding for error detection
and correction [13]. There are four error correction levels that the user can select.
Each level provides a different error correction capacity (L ∼7%, M ∼15%, Q ∼
25% and H ∼30%). Higher error correction levels improve the recovery capacity,
but also increases the amount of data to be encoded. This means that if the same
message were to be encoded using a higher error correction level, a larger QR
code version may be required. The number of data codewords, error correction
blocks and error correction codewords depend on the QR code version and error
correction level. Table 1 shows these characteristics for QR code version 4 and
5. In the table, the error correction codewords for each block is given as (c,k,r),
where cis the total number of codewords, kis the number of data codewords and
ris the error correction capacity. Note that some QR code versions have blocks
with different (c,k,r) values for certain error correction levels. For example, it
can be seen in Table 1 that QR code version 5 with an error correction level of Q
has a total of 4 error correction blocks. The (c,k,r) values for the first 2 blocks
are (33, 15, 9) while the values for the next 2 blocks are (34, 16, 9).
The codewords from the blocks are encoded in an interleaved manner, with
the error correction codewords appended to the end of the data codeword se-
quence. This is done to minimize the possibility that localized damage will cause
the QR code to become undecodable. Fig. 2 shows the data codeword and error
correction codeword arrangement for QR code version 4, with an error correc-
tion level of H. After encoding the codewords, a data mask is applied to the
encoding region. There are a total of eight data mask patterns. The purpose of
the data mask is to balance the light and dark modules, as well as to minimize
the occurrence of undesirable patterns that may potentially confuse a QR code
reader. Note that the data mask is not applied to the function patterns.
The format information is a 15-bit sequence consisting of 5 data bits and 10
error correction bits. Two copies of this information are encoded in a QR code
symbol, as can be seen in Fig. 1. Of the 5 data bits, the first 2-bits indicate the
error correction level and the next 3-bits indicate the data mask pattern used in
6 Y.W. Chow et al.
Table 1. Error correction characteristics for QR code version 4 and 5 [13].
Total Error Number Error correction
Version codewords correction of blocks codewords per block2
level (c, k, r)
4 100
L 1 (100, 80, 10)
M 2 (50, 32, 9)
Q 2 (50, 24, 13)
H 4 (25, 9, 8)
5 134
L 1 (134, 108, 13)
M 2 (67, 43, 12)
Q 2 (33, 15, 9)
2 (34, 16, 9)
H 2 (33, 11, 11)
2 (34, 12, 11)
the QR code symbol. Error correction for the format information is performed
using the Bose-Chaudhuri-Hocquenghem (15, 5) code, which allows for an error
of 3-bits, or less, to be corrected. The 15-bit long data bit string is XORed with
a specific mask to ensure that the format information bit sequence does not
contain all zeros for any combination of data mask pattern and error correction
level.
Version information is only contained in QR code version 7 and above. It
consists of an 18-bit sequence consisting of 6 data bits and 12 Golay error cor-
rection bits. The (18, 6) Golay code allows up to 3-bit errors to be corrected. Its
purpose is to convey version information to a QR code reader, for example, for
QR code version 7 the 6-bit data string is 000111. QR code version 7 and above
contain two copies of this information, as depicted in Fig. 1.
4 Proposed QR Code Secret Sharing (QRCSS) Scheme
The error correction mechanism in the QR code makes it possible to manipulate
some of the codewords, while still maintaining a QR code symbol that can be
correctly decoded. The approach proposed in this paper is an (n,n) secret shar-
ing scheme which will be referred to as QR Code Secret Sharing (QRCSS). The
idea behind QRCSS is to exploit the error correction redundancy in the QR code
structure, in order to take a QR code containing a secret message and to dis-
tribute and encode its information into nQR code shares. Each share is a valid
and decodable QR code in themselves, which are each constructed from a mean-
ingful cover QR code. The secret message can be recovered by first XORing the
light and dark modules contained in the encoding region of the nQR code shares
and adding the function patterns. This will produce a resulting QR code that
when decoded will reveal the secret message. In the proposed scheme, the cover
2c = total number of codewords, k = number of data codewords, r = error correction
capacity
QR Code Secret Sharing 7
Fig. 2. Data and error correction codeword arrangement for QR code version 4 with
error correction level H.
QR codes and the secret QR code must be of the same QR code version with
the same error correction level. This is so that all the codewords and codeword
blocks are at exactly the same locations across all the QR code symbols.
4.1 Number of Shares
An indication of the minimum number of QR code shares, n, required to share
a secret QR code can be determined using the approximate recovery capacity
previously discussed in Section 3.2. For example, to share a secret QR code using
the error correction level H (i.e. 30%), the minimum number of QR code shares
required is 3. This is because up to ∼30%3of the codewords per block in each
QR code share can be manipulated, which allows up to ∼30% ×3≈90% of the
codewords in the secret QR code to be distributed across the QR code shares.
This means that the error in the reconstructed secret QR code is at least ∼10%.
As long as the error in the reconstructed secret QR code is no more than its error
correction capacity, which is ∼30%, the secret can be recovered. It can easily be
seen that it is not possible to share the secret using only 2 QR code shares, as
the reconstructed secret QR code will contain a minimum of ∼40% error, which
overwhelms the error correction capacity and hence cannot be decoded correctly.
This also means that the greater the number of shares used to share a secret, the
smaller the amount of error that has to be introduced in each QR code share. An
indication of the minimum number of shares required for the proposed QRCSS
scheme for the respective error correction level is as follows: L (n≥14), M (n
≥6), Q (n≥4), and H (n≥3).
3In practice, it is not advisable to introduce this much error in the QR code shares,
because any damage or dirt may make the QR code symbol undecodable.
8 Y.W. Chow et al.
4.2 Codewords
The QR code error correction levels of L ∼7%, M ∼15%, Q ∼25% and H ∼30%,
are merely approximate values. The exact error correction capacity depends on
the QR code characteristics, which varies between the different QR code versions
and error correction levels, as can be seen from the characteristics for QR code
version 4 and 5 that were previously shown in Table 1.
The error correction capacity per block, r, for a QR code represents the
maximum number of codewords that can be in error per block. In other words, a
QR code cannot be decoded if more than rcodewords per block contain errors.
This means that to split the secret QR code across the QR code shares, the
maximum number of codewords that can be changed across the QR code shares
per block is r×n. However, since cis the total number of codewords per block,
there is no point changing more codewords than c, even in the case where r×nis
greater than c. Hence, the maximum number of codewords that may be changed
should be the smaller of the two values. This will be referred to as m, where m
=min(r×n,c).
In order for a QR code to be correctly decoded, there must be a minimum
number of codewords per block that cannot contain any errors. This value will
be referred to as l, where l=c−r. This also means that in the reconstructed
secret QR code, each block must have l, or more, correct codewords in order to
decode the reconstructed QR code and to reveal the secret message.
The proposed QRCSS scheme requires that m > l for each block. Otherwise,
it will not be possible to split information required to reconstruct the secret QR
code across the shares, while maintaining valid QR code shares. This also means
that the number of codewords that have to be altered per block, t, can lie any-
where between land m. Nevertheless, in practice it is best to evenly distribute
the error among the shares and the reconstructed secret. Given that lis the
minimum number of codewords per block that have to be changed across the
shares, to evenly distribute the error among the shares, at least l
ncodewords
per block have to be changed for each share. However, using this value would
mean that the reconstructed secret has absolutely no error tolerance. As such,
in the proposed QRCSS scheme, the error correction capacity for each block of
the reconstructed secret was taken as the ratio between the total error correc-
tion capacity of the shares and minimum number of codewords that had to be
changed, i.e. r×n
lrounded to the nearest integer. Hence, to balance between the
error correction capacity of the reconstructed secret and the number of errors
that have to be introduced in the shares, t=min(l+round(r×n
l), m), since t
ranges between land m. In general, the larger the value of n, the larger the error
correction capacity of the reconstructed secret, for cases where t < m. If t=m,
the error correction capacity of the reconstructed secret QR code is equal to the
error correction capacity of the original secret QR code, i.e. r.
Let ebe the maximum number of codewords in a block to change per share,
or in other words the maximum number of errors that will be introduced to a
block per share in order to distribute the secret. To evenly distribute the error
across the shares, the value of eshould be t
nrounded up to the nearest integer,
QR Code Secret Sharing 9
i.e. e=round up( t
n). This means that the larger the value of n, the smaller the
amount of error per share e. So while the original cover QR code error capacity
per block is r, the resulting error capacity per block for each QR code share
in this QRCSS scheme is r−e. For the reconstructed secret QR code, since t
codewords per block were altered in the shares, c−tcodewords per block will
be in error when reconstructed. So the error correction capacity per block in the
reconstructed secret QR code is r−(c−t).
4.3 Format and Version
The format information for a QR code contains 15-bits and allows for an error
of 3-bits, or less. The first 2-bits in the bit sequence represent the error correc-
tion level, which in the proposed QRCSS scheme must be the same for all the
shares and the secret. Hence, these 2-bits do not have to be altered as only the
next 13-bits may vary between the individual shares and the secret. The format
information allows for an error of up to 3-bits in each share to be corrected.
In addition, the reconstructed secret itself allows for a 3-bit format information
error to be corrected. As such, to evenly distribute the error across the shares,
the maximum number of format information bits to change per share f, should
be 13
n+1 rounded up to the nearest integer, i.e. if n= 3 then f= 3, otherwise
f=round up(13
n+1 ).
QR code version 7 and above have additional version information. However
since the proposed QRCSS scheme uses QR codes of the same version, the version
information modules are the same for all QR code shares. As such, the unaltered
version information simply has to be added to the reconstructed secret QR code.
In the proposed scheme, the choice of QR code version used to share a secret
has a direct bearing on its security. The security of the QRCSS scheme is gov-
erned by a security parameter λ. The size of λdepends on the data capacity of a
QR code. The more data a QR code can contain, the larger λwill be. Hence, the
QR code version has to be taken into consideration when determining security
of the scheme. This is because the larger the QR code version, the higher its
data capacity.
4.4 Algorithm
The proposed (n,n) QRCSS scheme can formally be described as follows. The
algorithm takes one secret QR code, S, and ncover QR codes, C1,C2, ..., Cn,
as input and outputs nQR code shares, S1,S2, ..., Sn. The minimum required
value of nfor each error correction level was previously discussed in Section
4.1. Each QR code share S1to Snis a valid QR code that when decoded by
a QR code reader will produce the same information as their respective cover
QR codes C1to Cn. Pseudocode for the proposed QRCSS scheme is presented
in Algorithm 1. In should be noted that the input QR codes can be generated
using any standard QR code generator.
To recover the secret, XOR the modules in the encoding regions of all the
shares S1⊕S2⊕...⊕Snand add the function patterns to produce a reconstructed
10 Y.W. Chow et al.
QR code, Sr. When decoded by a QR code reader, Srwill produce the same
message as S.
5 Analysis and Discussion
A secret sharing scheme can be evaluated based on a number of properties, in-
cluding its security, reconstruction precision, computation complexity and stor-
age requirement [21]. This section presents an analysis and discussion of the
QRCSS scheme based on these properties.
A program implementing the proposed (n,n) QRCSS scheme, using the
pseudocode shown in Algorithm 1, was developed. An example of the results
produced by the QRCSS scheme is depicted in Fig. 3 and Fig. 44. The example
shown in these figures is for the case where n= 3, using QR code version 4 with
error correction level H. Fig. 3(a)-(c) show the three cover QR codes, C1,C2and
C3, while Fig. 4(a) shows the original QR code containing a secret message, S,
which is to be encoded into the shares. Fig. 3(d)-(f) show the QR code shares
resulting from the proposed QRCSS scheme, i.e. S1,S2and S3, which were
obtained from their respective covers. Note that these shares are valid QR codes
that can be read by any standard QR code reader. Fig. 4(b) in turn shows
the reconstructed QR code, Sr, which was obtained by XORing the modules in
the encoding regions of all the shares, S1⊕S2⊕S3, and appending the function
patterns. The secret message can be recovered by decoding Srusing a QR code
reader.
A description of the characteristics for the example results shown in Fig. 3 and
Fig. 4 is as follows. The codewords in QR codes of version 4 and error correction
level H are divided into 4 error correction blocks, with the characteristics of
c= 25, k= 9 and r= 8 for all blocks (refer to Table 1). Using the proposed
algorithm, l= 17 and m= 24, while t= 20 and e= 7 for each block. As such,
a maximum of 7 codewords per block were altered in S1,S2and S3(i.e. a total
of 20 codewords were changed per block, so two of the shares had 7 codewords
altered while the remaining share had 6 codewords altered). This means that
each block in S1,S2and S3has an error correction capacity of at least 1 and
each block in Srhas an error correction capacity of 3. Hence, even if there are
some errors introduced to Sr, due to damage or other reasons, the secret message
can still be recovered.
Fig. 3(g)-(i) show the respective difference images between the cover QR
codes and the resulting QR code shares, while Fig. 4(c) show the differences
between the secret QR code and the reconstructed secret QR code. In the dif-
ference images, gray represent no change, while white represents a change in the
reflectance value from a dark module in the cover QR code to a light module in
the QR code share, and conversely black represents a change from a light mod-
ule in the cover to a dark module in the resulting share. The difference images
4Please note that all QR codes presented in this paper are valid QR codes that can
be decoded by a QR code reader.
QR Code Secret Sharing 11
Algorithm 1 QRCSS pseudocode
function GenerateShares()
Input: A secret QR code, S, and ncover QR codes, C1,C2, ..., Cn
/* Create nshares and copy contents of each cover to the respective share */
for ifrom 1 to ndo
Create Si
Si←Ci
end for
/* Data and error correction codewords */
for each QR code block do /* Some QR code versions have 2 different block sizes
*/
Calculate land m
if m≤lthen
Quit /* Scheme requires m > l, otherwise input is not valid */
else
Determine tand e
for ifrom 1 to tdo
Randomly select a codeword, w, within the block that has not previ-
ously been changed
Select a random share, Sx, where 1 ≤x≤n, that has not exceeded
the value of e
for each module jin wdo /* where 1 ≤j≤8 (a codeword contains
8 modules) */
if Sj
1⊕Sj
2⊕... ⊕Sj
n̸=Sjthen
/* Sj
kdenotes the j-th module of win the k-th share */
/* Sjdenotes the j-th module of win the secret */
Flip the reflectance value of Sj
x
end if
end for
end for
end if
end for
/* Format information */
Determine f/* The maximum number of format information bits to change per
share */
for jfrom 3 to 15 do /* For each module of the format information, except the
first 2-bits */
if Sj
1⊕Sj
2⊕... ⊕Sj
n̸=Sjthen
Select a random share, Sx, where 1 ≤x≤n, that has not exceeded the
value of f
Flip the reflectance value of Sj
x
end if
end for
Output S1,S2, ..., Sn
end function
12 Y.W. Chow et al.
(a) (b) (c)
(d) (e) (f)
(g) (h) (i)
Fig. 3. Example of a (3, 3) QRCSS; (a) C1, (b) C2, (c) C3, (d) S1, (e) S2, (f) S3,
(g) Difference image between C1and S1, (h) Difference image between C2and S2, (i)
Difference image between C3and S3.
(a) (b) (c)
Fig. 4. Secret and reconstructed secret for the example shown in Fig 3. (a) Original
QR code containing the secret message, S. (b) Reconstructed secret QR code, Sr. (c)
Difference image between Sand Sr.
QR Code Secret Sharing 13
indicate the error that was deliberately embedded into the QR codes for the
purpose of sharing the secret.
5.1 Properties
From a computational complexity point of view, the QRCSS scheme is not com-
putationally complex, as encoding and decoding in the scheme is based on the
simple Boolean XOR operation. In addition, despite the deliberate error incor-
porated in the shares by the proposed scheme, the scheme is still able handle
a small amount of error when decoding the reconstructed secret QR code. The
greater the number of shares used to distribute the secret, the smaller the amount
of error that has to be encoded into each of the QR code shares. This will also
increase the recoverability of the secret, because the reconstructed secret QR
code will contain less errors.
Since the secret is encoded as a QR code, the size of the secret message is
governed by the QR code data capacity. The size of of each share in the proposed
scheme is the same as the size of the secret QR code. One of the advantages of
the QRCSS scheme is that the shares do not have to be stored in digital form,
as they can be distributed on printed media.
5.2 Security
Individual QR code shares by themselves do not reveal the secret message. How-
ever, since shares and the secret QR code use the same QR code version and
error correction level, an adversary who can identify a QR code share will have
this knowledge. In addition, given any QR code share, it is trivial to obtain its
cover QR code. This can be done by simply decoding the information in the QR
code share, then using this information to generate a QR code of the appropriate
version and error correction level. This will produce the original cover QR code.
As such, it is easy to find the differences between the original cover QR code and
the modified QR code. This property also makes it possible to identify potential
QR code shares. Based on the information about the differences between the
original and the modified QR code, the value of ncan be inferred. Nevertheless,
it is not possible to reconstruct the secret with this information alone.
Brute Force Attack. In light of the fact that in QRCSS the secret message is
encoded as a QR code, an adversary can adopt a brute force strategy akin to a
dictionary attack. This is because the secret must be in the form of a valid QR
code. Thus, if an attacker has information about the version and error correction
level of the secret QR code, the attacker can go through all the possibilities of
valid QR codes with the same version and error correction level. Let S′denote
a valid, or in other words ‘meaningful’, QR code of the known version and error
correction level, and |S′|be the cardinality of all the valid QR codes with the
same version and error correction level. The probability of success for this attack
will be bounded by 1
|S′|. The size of |S′|is governed by the size of data that a
14 Y.W. Chow et al.
QR code can contain, which is determined by the specific QR code version used
to encode the message. Hence, the larger the secret QR code, the larger |S′|will
be, which in turn lowers the success of an attack. Let dbe the number of data
codewords for a QR code of a given version and error correction level. Since each
codeword contains 8 modules, |S′|= 28d.
Collusion Attack. It is conceivable that n−1 participants may collude and
combine the information from their shares together in an attempt to find S.
Since S1⊕S2⊕...⊕Sn=Sr, in a collusion attack where n−1 participants
combine their shares, they will have S1,S2, ..., Sn−1. Let S′
ndenote a possible
Sn, or in other words the attacker’s ‘guess’ of Sn. Furthermore, let S′rdenote
a valid QR code that when decoded will give the same information as S′, and
let S′rrepresent the set of all valid QR codes created by modifying the modules
of all QR codes in S′. This is in line with the fact that the modules in the
reconstructed secret QR code, Sr, are not the same as the secret QR code, S.
Hence, even though when decoded S′rand S′will give the same information,
the modules in S′rand S′are not the same. This means that the entries in S′r
must be created by going through all the possible modifications of all QR codes
in S′that will produce valid QR codes. Therefore, the cardinality of S′r,|S′r|,
will be very much larger than |S′|.
|S′r|can be determined based on the specific QR code version and error
correction level. Each block of a QR code has ccodewords and an error capacity
of rcodewords. Each codeword contains 8 modules. This means that a block can
correctly be decoded as long as there are r, or less, codewords in cthat are in
error. However, as previously shown in Table 1, some QR code versions have 2
different block characteristics, B1and B2. Let c1and c2denote the number of
codewords per block, and let r1and r2represent the error correction capacity
per block, for blocks of type B1and B2respectively. In addition, let n1and n2
represent the number of blocks of type B1and B2for that specific QR code. For
a QR code of a given version and error correction level, |S′r|can be determined
as follows:
|S′r|=[[(
r1
∑
i=0 (c1
i)).28]n1.[(
r2
∑
j=0 (c2
j)).28]n2].|S′|
A collusion attack may take the following form. By going through the en-
tries in S′rusing S1⊕S2⊕...⊕Sn−1⊕S′r=S′
n, if S′
nis not a valid QR code, i.e.
cannot be decoded, then S′rcan be removed from S′r. Thus, reducing the space
of potential reconstructed secret QR codes, |S′r|, to contain less possibilities.
Nevertheless, it should be noted that this space will still be very large as |S′r|
is very much larger than |S′|. Let |S′′|denote this reduced space. It is obvious
that the value of |S′′|will increase for the cases of n−2, n−3, etc.
Security Parameter. The security underlying the QRCSS scheme is therefore
governed by the security parameter λ=min(|S′|,|S′′|). Clearly, larger QR code
versions will increase the size of λ, thereby increasing the security of the scheme.
QR Code Secret Sharing 15
Concealment. One of the primary advantages of this scheme stems from the
fact that since each share is a meaningful QR code in itself, this will reduce the
likelihood of attracting the attention of potential attackers. In addition, since
the modules in QR codes do not have to be black and white squares, it would be
advantageous if each QR code share were to be constructed using different artistic
QR code schemes. The QRCSS scheme will work as long as the modules in each
share can be scanned. The use of different artistic schemes will not only increase
the secret sharing subterfuge by using meaningful innocent-looking QR code
shares, but will also improve concealment as shares will appear to be unrelated.
6 Conclusion and Future Work
This paper presents a novel approach to secret sharing using QR codes. In QR
code secret sharing, a QR code containing a secret message is distributed and
encoded into a set of meaningful QR code shares. The proposed approach uses
the error correction feature, which is an inherent part of the QR code structure,
to distributed and hide information about the secret. Each share is a valid QR
code which contains meaningful information when scanned individually. Hence,
this reduces the likelihood of attracting the attention of potential attackers when
distributed via public channels. When all shares are made available, the secret
message can be recovered. Unlike a number of other secret sharing schemes
where the shares are digital images, which have to be stored and transmitted
electronically, the QR code shares in this approach can be distributed using
printed media.
References
1. G. Ateniese, C. Blundo, A. De Santis, and D. R. Stinson. Extended capabilities
for visual cryptography. Theor. Comput. Sci., 250(1-2):143–161, Jan. 2001.
2. A. Beimel. Secret-sharing schemes: A survey. In IWCC, pages 11–46, 2011.
3. G. Blakley. Safeguarding cryptographic keys. In Proceedings of the 1979 AFIPS
National Computer Conference, pages 313–317, 1979.
4. C. Blundo, P. D’Arco, A. D. Santis, and D. R. Stinson. Contrast optimal threshold
visual cryptography schemes. SIAM J. Discrete Math., 16(2):224–261, 2003.
5. T. V. Bui, N. K. Vu, T. T. Nguyen, I. Echizen, and T. D. Nguyen. Robust mes-
sage hiding for qr code. In Intelligent Information Hiding and Multimedia Signal
Processing (IIH-MSP), 2014 Tenth International Conference on, pages 520–523.
IEEE, 2014.
6. W.-Y. Chen and J.-W. Wang. Nested image steganography scheme using qr-
barcode technique. Optical Engineering, 48(5):057004–057004, 2009.
7. Y. Chow, W. Susilo, M. H. Au, and A. M. Barmawi. A visual one-time password
authentication scheme using mobile devices. In Information and Communications
Security (ICICS’14), volume 8958 of Lecture Notes in Computer Science, pages
243–257. Springer, 2015.
8. Y.-W. Chow, W. Susilo, and D. S. Wong. Enhancing the perceived visual quality of
a size invariant visual cryptography scheme. In Information and Communications
16 Y.W. Chow et al.
Security (ICICS’12), volume 7618 of Lecture Notes in Computer Science, pages
10–21. Springer, 2012.
9. C.-H. Chung, W.-Y. Chen, and C.-M. Tu. Image hidden technique using qr-
barcode. In Intelligent Information Hiding and Multimedia Signal Processing, 2009.
IIH-MSP’09. Fifth International Conference on, pages 522–525. IEEE, 2009.
10. Denso Wave Incorporated. QRcode.com, http://www.qrcode.com/en/.
11. S. Falkner, P. Kieseberg, D. Simos, C. Traxler, and E. Weippl. E-voting authen-
tication with qr-codes. In Human Aspects of Information Security, Privacy, and
Trust, volume 8533 of Lecture Notes in Computer Science, pages 149–159. Springer,
2014.
12. H.-C. Huang, F.-C. Chang, and W.-C. Fang. Reversible data hiding with
histogram-based difference expansion for qr code applications. Consumer Elec-
tronics, IEEE Transactions on, 57(2):779–787, 2011.
13. International Organization for Standardization. Information technology — auto-
matic identification and data capture techniques — qr code 2005 bar code sym-
bology specification. ISO/IEC 18004:2006, 2006.
14. H.-C. Lee, C.-R. Dong, and T.-M. Lin. Digital watermarking based on jnd model
and qr code features. In Advances in Intelligent Systems and Applications-Volume
2, pages 141–148. Springer, 2013.
15. P.-Y. Lin, Y.-H. Chen, E. J.-L. Lu, and P.-J. Chen. Secret hiding mechanism using
qr barcode. In Signal-Image Technology & Internet-Based Systems (SITIS), 2013
International Conference on, pages 22–25. IEEE, 2013.
16. F. Liu, T. Guo, C. K. Wu, and L. Qian. Improving the visual quality of size
invariant visual cryptography scheme. J. Visual Communication and Image Rep-
resentation, 23(2):331–342, 2012.
17. M. Naor and A. Shamir. Visual cryptography. In A. D. Santis, editor, EURO-
CRYPT, volume 950 of Lecture Notes in Computer Science, pages 1–12. Springer,
1994.
18. A. Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979.
19. C.-C. Thien and J.-C. Lin. Secret image sharing. Computers & Graphics,
26(5):765–770, 2002.
20. D. Wang, F. Yi, and X. Li. On general construction for extended visual cryptog-
raphy schemes. Pattern Recognition, 42(11):3071–3082, 2009.
21. D. Wang, L. Zhang, N. Ma, and X. Li. Two secret sharing schemes based on
boolean operations. Pattern Recognition, 40(10):2776 – 2785, 2007.
22. J. Weir and W. Yan. A comprehensive study of visual cryptography. T. Data
Hiding and Multimedia Security, 5:70–105, 2010.
23. J. Weir and W. Yan. Authenticating visual cryptography shares using 2d barcodes.
In IWDW, volume 7128 of Lecture Notes in Computer Science, pages 196–210.
Springer, 2011.
24. W.-C. Wu, Z.-W. Lin, and W.-T. Wong. Application of qr-code steganography
using data embedding technique. In Information Technology Convergence, pages
597–605. Springer, 2013.
25. W. Yan, J. Wier, and M. S. Kankanhalli. Image secret sharing. In S. Cimato
and C.-N. Yang, editors, Visual Cryptography and Secret Image Sharing, pages
381–402. CRC Press, Taylor and Francis Group, 2012.
26. C.-N. Yang, A.-G. Peng, and T.-S. Chen. Mtvss: (m)isalignment (t)olerant (v)isual
(s)ecret (s)haring on resolving alignment difficulty. Signal Processing, 89(8):1602–
1624, 2009.
