On the Gold Standard for Security of Universal Steganography

While symmetric-key steganography is quite well understood both in the information-theoretic and in the computational setting, many fundamental questions about its public-key counterpart resist persistent attempts to solve them. The computational model for public-key steganography was proposed by von Ahn and Hopper in EUROCRYPT 2004. At TCC 2005, Backes and Cachin gave the first universal public-key stegosystem - i.e. one that works on all channels - achieving security against replayable chosen-covertext attacks (SS-RCCA) and asked whether security against non-replayable chosen-covertext attacks (SS-CCA) is achievable. Later, Hopper (ICALP 2005) provided such a stegosystem for every efficiently sampleable channel, but did not achieve universality. He posed the question whether universality and SS-CCA-security can be achieved simultaneously. No progress on this question has been achieved since more than a decade. In our work we solve Hopper's problem in a somehow complete manner: As our main positive result we design an SS-CCA-secure stegosystem that works for every memoryless channel. On the other hand, we prove that this result is the best possible in the context of universal steganography. We provide a family of 0-memoryless channels - where the already sent documents have only marginal influence on the current distribution - and prove that no SS-CCA-secure steganography for this family exists in the standard non-look-ahead model.Comment: EUROCRYPT 2018, llncs styl

Information similarity metrics in information security and forensics

We study two information similarity measures, relative entropy and the similarity metric, and methods for estimating them. Relative entropy can be readily estimated with existing algorithms based on compression. The similarity metric, based on algorithmic complexity, proves to be more difficult to estimate due to the fact that algorithmic complexity itself is not computable. We again turn to compression for estimating the similarity metric. Previous studies rely on the compression ratio as an indicator for choosing compressors to estimate the similarity metric. This assumption, however, is fundamentally flawed. We propose a new method to benchmark compressors for estimating the similarity metric. To demonstrate its use, we propose to quantify the security of a stegosystem using the similarity metric. Unlike other measures of steganographic security, the similarity metric is not only a true distance metric, but it is also universal in the sense that it is asymptotically minimal among all computable metrics between two objects. Therefore, it accounts for all similarities between two objects. In contrast, relative entropy, a widely accepted steganographic security definition, only takes into consideration the statistical similarity between two random variables. As an application, we present a general method for benchmarking stegosystems. The method is general in the sense that it is not restricted to any covertext medium and therefore, can be applied to a wide range of stegosystems. For demonstration, we analyze several image stegosystems using the newly proposed similarity metric as the security metric. The results show the true security limits of stegosystems regardless of the chosen security metric or the existence of steganalysis detectors. In other words, this makes it possible to show that a stegosystem with a large similarity metric is inherently insecure, even if it has not yet been broken

An Information- Theoretical Model for Streaming Media Based Stegosystems

Steganography in streaming media differs from steganography in images or audio files because of the continuous embedding process and the necessary synchronization of sender and receiver due to packet loss in streaming media. The conventional theoretical model for image steganography is not appropriate for explaining the security scenarios for streaming media based stegosystems. In this paper, we propose a new information-theoretical model with two pseudo-random sequences imitating the continuous embedding and synchronization characteristics of streaming media based stegosystems. We also discuss the statistical properties of Voice over Internet Protocol (VoIP) speech streams through theoretical analysis and experimental testing. The experimental results show the bit stream consisting of fixed codebook parameters in speech frames is similar in statistical characteristics to a white-noise sequence. The relative entropy between the VoIP speech stream and the embedded secret message has been found to be zero. This leads us to conclude that the proposed streaming media based stegosystem is secure against statistical detection; in other words, the statistical measures cannot detect the existence of the secret message embedded in VoIP speech streams

Designing Secure and Survivable Stegosystems

Steganography, the art and science of carrying out hidden communication, is an emergingsub-discipline of information security. Unlike cryptography, steganography conceals the existenceof a secret message by embedding it in an innocuous container digital media, thereby enablingunobstrusive communication over insecure channels. Detection and extraction of steganographiccontents is another challenge for the information security professional and this activity iscommonly known as steganalysis. Recent progress in steganalysis has posed a challenge fordesign and development of stegosystems with high levels of security and survivability. In thispaper, different strategies have been presented that can be used to escape detection and foilan eavesdropper having high technical capabilities as well as adequate infrastructure. Based onthe strength and weaknesses of current steganographic schemes, ideas have been progressedto make detection and destruction of hidden information more difficult

Using Kolmogorov Complexity for Understanding Some Limitations on Steganography

Recently perfectly secure steganographic systems have been described for a wide class of sources of covertexts. The speed of transmission of secret information for these stegosystems is proportional to the length of the covertext. In this work we show that there are sources of covertexts for which such stegosystems do not exist. The key observation is that if the set of possible covertexts has a maximal Kolmogorov complexity, then a high-speed perfect stegosystem has to have complexity of the same order

Hard Communication Channels for Steganography

This paper considers steganography - the concept of hiding the presence of secret messages in legal communications - in the computational setting and its relation to cryptography. Very recently the first (non-polynomial time) steganographic protocol has been shown which, for any communication channel, is provably secure, reliable, and has nearly optimal bandwidth. The security is unconditional, i.e. it does not rely on any unproven complexity-theoretic assumption. This disproves the claim that the existence of one-way functions and access to a communication channel oracle are both necessary and sufficient conditions for the existence of secure steganography in the sense that secure and reliable steganography exists independently of the existence of one-way functions. In this paper, we prove that this equivalence also does not hold in the more realistic setting, where the stegosystem is polynomial time bounded. We prove this by constructing (a) a channel for which secure steganography exists if and only if one-way functions exist and (b) another channel such that secure steganography implies that no one-way functions exist. We therefore show that security-preserving reductions between cryptography and steganography need to be treated very carefully

Constructing Perfect Steganographic Systems

We propose steganographic systems for the case when covertexts (containers) are generated by a finite-memory source with possibly unknown statistics. The probability distributions of covertexts with and without hidden information are the same; this means that the proposed stegosystems are perfectly secure, i.e. an observer cannot determine whether hidden information is being transmitted. The speed of transmission of hidden information can be made arbitrary close to the theoretical limit - the Shannon entropy of the source of covertexts. An interesting feature of the suggested stegosystems is that they do not require any (secret or public) key. At the same time, we outline some principled computational limitations on steganography. We show that there are such sources of covertexts, that any stegosystem that has linear (in the length of the covertext) speed of transmission of hidden text must have an exponential Kolmogorov complexity. This shows, in particular, that some assumptions on the sources of covertext are necessary

Perfectly secure steganography: hiding information in the quantum noise of a photograph

We show that the quantum nature of light can be used to hide a secret message within a photograph. Using this physical principle we achieve information-theoretic secure steganography, which had remained elusive until now. The protocol is such that the digital picture in which the secret message is embedded is perfectly undistinguishable from an ordinary photograph. This implies that, on a fundamental level, it is impossible to discriminate a private communication from an exchange of photographs.Comment: 5 pages, 3 figures + appendix : 5 pages, 6 figure

Perfectly Secure Steganography Using Minimum Entropy Coupling

Steganography is the practice of encoding secret information into innocuous content in such a manner that an adversarial third party would not realize that there is hidden meaning. While this problem has classically been studied in security literature, recent advances in generative models have led to a shared interest among security and machine learning researchers in developing scalable steganography techniques. In this work, we show that a steganography procedure is perfectly secure under Cachin (1998)'s information-theoretic model of steganography if and only if it is induced by a coupling. Furthermore, we show that, among perfectly secure procedures, a procedure maximizes information throughput if and only if it is induced by a minimum entropy coupling. These insights yield what are, to the best of our knowledge, the first steganography algorithms to achieve perfect security guarantees for arbitrary covertext distributions. To provide empirical validation, we compare a minimum entropy coupling-based approach to three modern baselines -- arithmetic coding, Meteor, and adaptive dynamic grouping -- using GPT-2, WaveRNN, and Image Transformer as communication channels. We find that the minimum entropy coupling-based approach achieves superior encoding efficiency, despite its stronger security constraints. In aggregate, these results suggest that it may be natural to view information-theoretic steganography through the lens of minimum entropy coupling