On the Gold Standard for Security of Universal Steganography

While symmetric-key steganography is quite well understood both in the information-theoretic and in the computational setting, many fundamental questions about its public-key counterpart resist persistent attempts to solve them. The computational model for public-key steganography was proposed by von Ahn and Hopper in EUROCRYPT 2004. At TCC 2005, Backes and Cachin gave the first universal public-key stegosystem - i.e. one that works on all channels - achieving security against replayable chosen-covertext attacks (SS-RCCA) and asked whether security against non-replayable chosen-covertext attacks (SS-CCA) is achievable. Later, Hopper (ICALP 2005) provided such a stegosystem for every efficiently sampleable channel, but did not achieve universality. He posed the question whether universality and SS-CCA-security can be achieved simultaneously. No progress on this question has been achieved since more than a decade. In our work we solve Hopper's problem in a somehow complete manner: As our main positive result we design an SS-CCA-secure stegosystem that works for every memoryless channel. On the other hand, we prove that this result is the best possible in the context of universal steganography. We provide a family of 0-memoryless channels - where the already sent documents have only marginal influence on the current distribution - and prove that no SS-CCA-secure steganography for this family exists in the standard non-look-ahead model.Comment: EUROCRYPT 2018, llncs styl

Perfectly Secure Steganography Using Minimum Entropy Coupling

Steganography is the practice of encoding secret information into innocuous content in such a manner that an adversarial third party would not realize that there is hidden meaning. While this problem has classically been studied in security literature, recent advances in generative models have led to a shared interest among security and machine learning researchers in developing scalable steganography techniques. In this work, we show that a steganography procedure is perfectly secure under Cachin (1998)'s information-theoretic model of steganography if and only if it is induced by a coupling. Furthermore, we show that, among perfectly secure procedures, a procedure maximizes information throughput if and only if it is induced by a minimum entropy coupling. These insights yield what are, to the best of our knowledge, the first steganography algorithms to achieve perfect security guarantees for arbitrary covertext distributions. To provide empirical validation, we compare a minimum entropy coupling-based approach to three modern baselines -- arithmetic coding, Meteor, and adaptive dynamic grouping -- using GPT-2, WaveRNN, and Image Transformer as communication channels. We find that the minimum entropy coupling-based approach achieves superior encoding efficiency, despite its stronger security constraints. In aggregate, these results suggest that it may be natural to view information-theoretic steganography through the lens of minimum entropy coupling

The role of side information in steganography

Das Ziel digitaler Steganographie ist es, eine geheime Kommunikation in digitalen Medien zu verstecken. Der übliche Ansatz ist es, die Nachricht in einem empirischen Trägermedium zu verstecken. In dieser Arbeit definieren wir den Begriff der Steganographischen Seiteninformation (SSI). Diese Definition umfasst alle wichtigen Eigenschaften von SSI. Wir begründen die Definition informationstheoretisch und erklären den Einsatz von SSI. Alle neueren steganographischen Algorithmen nutzen SSI um die Nachricht einzubetten. Wir entwickeln einen Angriff auf adaptive Steganographie und zeigen anhand von weit verbreiteten SSI-Varianten, dass unser Angriff funktioniert. Wir folgern, dass adaptive Steganographie spieltheoretisch beschrieben werden muss. Wir entwickeln ein spieltheoretisches Modell für solch ein System und berechnen die spieltheoretisch optimalen Strategien. Wir schlussfolgern, dass ein Steganograph diesen Strategien folgen sollte. Zudem entwickeln wir eine neue spieltheoretisch optimale Strategie zur Einbettung, die sogenannten Ausgleichseinbettungsstrategien.The  goal of digital steganography is to hide a secret communication in digital media. The common approach in steganography is to hide the secret messages in empirical cover objects. We are the first to define Steganographic Side Information (SSI). Our definition of SSI captures all relevant properties of SSI. We explain the common usage of SSI. All recent steganographic schemes use SSI to identify suitable areas fot the embedding change. We develop a targeted attack on four widely used variants of SSI, and show that our attack detects them almost perfectly. We argue that the steganographic competition must be framed with means of game theory. We present a game-theoretical framework that captures all relevant properties of such a steganographic system. We instantiate the framework with five different models and solve each of these models for game-theoretically optimal strategies. Inspired by our solutions, we give a new paradigm for secure adaptive steganography, the so-called equalizer embedding strategies

The Realizations of Steganography in Encrypted Domain

With the popularization and application of privacy protection technologies in cloud service and social network, ciphertext has been gradually becoming a common platform for public to exchange data. Under the cover of such a plat-form, we propose steganography in encrypted domain (SIED) in this paper to re-alize a novel method to realize secret communication Based on Simmons' model of prisoners' problems, we discuss the application scenarios of SIED. According to the different accesses to the encryption key and decryption key for secret mes-sage sender or receiver, the application modes of SIED are classified into four modes. To analyze the security requirments of SIED, four levels of steganalysis attacks are introduced based on the prior knowledge about the steganography system that the attacker is assumed to obtain in advance. Four levels of security standards of SIED are defined correspondingly. Based on the existing reversible data hiding techniques, we give four schemes of SIED as practical instances with different security levels. By analyzing the embedding and extraction characteris-tics of each instance, their SIED modes, application frameworks and security lev-els are discussed in detail

Theory and Applications of Outsider Anonymity in Broadcast Encryption

Broadcast Encryption (BE) allows efficient one-to-many secret communication of data over a broadcast channel. In the standard setting of BE, information about receivers is transmitted in the clear together with ciphertexts. This could be a serious violation of recipient privacy since the identities of the users authorized to access the secret content in certain broadcast scenarios are as sensitive as the content itself. Anonymous Broadcast Encryption (AnoBe) prevents this leakage of recipient identities from ciphertexts but at a cost of a linear lower bound (in the number of receivers) on the length of ciphertexts. A linear ciphertext length is a highly undesirable bottleneck in any large-scale broadcast application. In this thesis, we propose a less stringent yet very meaningful notion of anonymity for anonymous broadcast encryption called Outsider-Anonymous Broadcast Encryption (oABE) that allows the creation of ciphertexts that are sublinear in the number of receivers. We construct several oABE schemes with varying security guarantees and levels of efficiency. We also present two very interesting cryptographic applications afforded by the efficiency of our oABE schemes. The first is Broadcast Steganography (BS), the extension of the state of the art setting of point-to-point steganography to the multi-recipient setting. The second is Oblivious Group Storage (OGS), the introduction of fine-grained data access control policies to the setting of multi-client oblivious cloud storage protocols