Information Hiding&

Digital Watermarking

Tri Van Le

Outlines

• Background• State of the art• Research goals• Research plan• Our approaches

Background

• Information hiding– Steganography– Digital watermarking

• Related work– Covert channels– Anonymous communications

Information Hiding

• Steganography– Invisible inks– Small dots– Letters

• Digital watermarking– Copyright information– Tracing information

Information Hiding

• Main idea– Hide messages in a cover

• Steganography– Secrecy of messages

• Watermarking– Authenticity of messages

Covert Channels

• Leakage information (e.g. viruses)– Disk space– CPU load

• Subliminal channels– Digital signatures– Encryption schemes– Cryptographic malwares

Covert Computations

• Computation inside computations– Secret design calculations inside a

factoring computation– Secret physics simulations inside a

cryptographic software or devices

Anonymous Communications

• MIX Networks– Electronic voting– Anonymous communication

• Onion Routings– Limited anonymous communication

• Blind signatures– Digital cash

Digital Watermarking

• Secure against known simple attacks– Common lossy compressions

• JPEG, MPEG, …

– Common signal processing operations• Band pass, echo, pitch, noise filters, …• Crop, scale, move, reshape, …

• Specialized attacks

Information Hiding(state of the art)

• Many schemes were proposed– Most of them were broken

• Use heuristic security– Subjective measurements– Assume very specific enemy

Broken Schemes (I)

Name Author(s) Pro-BroContraband Zimmerman 1996-1999

Echo Hiding Gruhl et. Al. 1996-1998

EIKONA Pitas 1996-1998

EzStego Machado 1994-1999

Fravia Fravia 1995-1999

Broken Schemes (II)

Name Author(s) Pro/BroHide and Seek Latham 1998-1999

J K_PGS Kutter & J ordan 1997-1998

J Steg Korejwa 1998-1999

NEC Method Cox et. Al. 1996-1998

PGMStealth Rinne 1994-1999

Broken Schemes (III)

Name Author(s) Pro/BroPictureMarc Rhoads 1997-1998

Piilo Aura 1995-1999

Snow Kwan 1996-1999

Steganos Steganos GmbH 1996-1999

Stegodos Wolf 1995-1999

Broken Schemes (IV)

Name Author(s) Pro/BroS-Tools Brown 1995-1999

SureSign Signum Tech 1997-1998

SysCoP Koch & Zhao 1995-1998

White noise storm Arachelian 1994/1999

Cryptography in the 80s

• Beginning time of open research• A lot of schemes proposed• Most of them soon broken

Broken Cryptosystems (I)

MerkleHellman

1978-1984

IteratedKnapsack

1978-1984

Lu-Lee

1979-1980

MerlkeHellman

MerlkeHellman

Lu-Lee

AdigaShankar

1985-1988

AdigarShankar

Nieder-reiter

1986-1988

Neiderreiter

GoodmanMcAuly

1984-1988

GoodmanMcAuly

Pieprzyk

1985-1988

Pieprzyk

ChorRivest

1988-1998

ChorRivest

Okamoto

1986-1987

Okamoto

Okamoto

1987-1988

Okamoto

Broken Cryptosystems (II)

MatsumotoImai

1983-1984

Cade

1985-1986

Yagisawa

1985-1986

MatsumotoImai

Cade Yasigawa

TMKIF

1986-1985

Tsujii, ItohMatsumotoKurosama

Fujioka

LuccioMazzone

1980-1981

LuccioMazzone

KravitzReed

1982-1982

KravitzReed

RaoNam

1986-1988

RaoNam

LowDegree

CG

1982

HighDegree

CG

1988

RivestAdleman

Dertouzos

1978-1987

RivestAdleman

Dertouzos

KrawczykBoyar

...

Proven Secure Schemes

• Perfectly secure schemes– Shannon (1949)

• Computationally secure schemes – Goldwasser and Micali (1982)– Rabin (1981)

Perfectly Secure Cryptosystems

• Shannon’s work (1949)– Mathematical proof of security– Information theoretic secrecy

• Enemy with unlimited power– Can compute any desired function

Computationally Secure Cryptosystems

• Rabin (81), Goldwasser & Micali (82)– Mathematical proof of security– Computational secrecy

• Enemy with limited time and space– Can run in polynomial time– Can use polynomial space

Research Goals

• Fundamental way– Systematic approach– Same as Shannon and Goldwasser’s

work

• What are the properties– Hiding– Secrecy – Authenticity

Fundamental Models

• Unconditional Security– Unlimited enemy

• Statistical Security– Polynomial number of samples

• Computational Security– Polynomial time and space

Information Hiding Properties

• Hiding property– Output must look like the cover

• Secrecy property– No partial information on input

message

• Authenticity property– Hard to compute valid output

Unconditional Hiding

• Definition– E: KM C, encryption function– K: key set, M: message set, C: cover

set

– Pcover: probability distribution of covers

– Pc: probability distribution of E(k,m)

• Requires– Pc = Pcover

Statistical Hiding

• Definition– Pcover: probability distribution of covers

– Pc: probability distribution of E(k,m)

– n: description length of each cover

• Requires– |Pc - Pcover| is negligible.

– |Pc - Pcover| < n-d for all d>0 and n>Nd.

Computational Hiding

• Definition– Pcover: probability distribution of covers

– Pc: probability distribution of E(k,m)

– n: description length of each cover

• Requires– Pc and Pcover are P-time

indistinguishable

Computational Hiding

• P-time indistinguishable– For all P.P.T.M. A, d>0, and n>Nd:

Prob(A(Pc)=1) - Prob(A(Pcover)=1) < n-d.

– Informally speaking• No P-time enemy can tell apart Pc and

Pcover

Unconditional Secrecy

• Ciphertext independence:– Prob(m|E(k,m)) = Prob(m)

• Informally• no information on message given

ciphertext

Statistical Secrecy

• Negligible advantages:– For all m in M, d>0, n>Nd:

• |Prob(m|E(k,m)) - Prob(m)| < n-d

– Informally• Only negligible amount of information on

message leaked when given the ciphertext.

Computational Secrecy

• Negligible chances:– For all P.P.T.M. A:

– For all m in M, d>0, n>Nd:• |Prob(A(E(k,m))=m)| < n-d

– Informally• Only negligible chance of output correct

m.

Our Approaches

• Arbitrary key– Steganography, watermarking

• Restricted key– Protection of key materials

• Key = Ciphertext– Secret sharing

Our Approaches

• Arbitrary key distribution– E(k,m) is distributed accordingly to

Pcover

• Applications– Steganography– Digital watermarking– Tamper-resistant hardware

Our Approaches

• Restricted key distribution– c = E(k,m)

– k is distributed accordingly to PK

– c is distributed accordingly to Pcover

• Applications– No tamper-resistant hardware– Protection of key materials

Our Approaches

• Key = Ciphertext– S: MCC– (k1,k2) = S(m)

• Requires– k1 and k2 distributed accordingly to Pcover

• Applications– Secret sharing– Robustness

Research Progress

• To understand information hiding– Perfect hiding (done)

• Necessary and sufficient conditions• Computational complexity results• Constructions of prefect secure schemes• Constructions of schemes with non-reliability

– Computational hiding (under research)• Conventional constructions• Public key schemes

Perfect Hiding Scheme

• Condition– Pcover(c) 1/|M|

• Algorithms– Setup: produce |M| matrices Ai

– Disjoint non-zero entries– Columns sum up to Pcover

– Rows sum up to the same

– Encrypt:– E(k,m) distributes accordingly to row Am(k).

Perfect Hiding Scheme

• Algorithms– Encrypt:

– c=E(k,m) distributes accordingly to row Am(k).

– Decrypt:– Output m such that Am(k,c)>0.

• Message distribution independence– Hiding implies privacy.

Other aspects

• Other aspects– Replacing privacy by authenticity– Digital watermarking

• Extra problem– Robustness against modifications– Simple modifications– General modifications

How to exploit

• Quadratic residues– n = pq

– S1 = {x2 |x in Zn*}

– S2 = {x|x in Zn* and J(x)=1}

• Decision Diffie-Hellman– U1 = (g, ga, gb, gab) mod p

– U2 = (g, ga, gb, gr) mod p

Conclusion

• Covert channels– Very special distribution

• Our work– General distribution– Proven security levels

Thank you

• Questions?