Information Hiding & Digital Watermarking Tri Van Le
Outlines Background State of the art Research goals Research plan Our approaches
Background Information hiding Related work Steganography Digital watermarking Related work Covert channels Anonymous communications
Information Hiding Steganography Digital watermarking Invisible inks Small dots Letters Digital watermarking Copyright information Tracing information
Information Hiding Main idea Steganography Watermarking Hide messages in a cover Steganography Secrecy of messages Watermarking Authenticity of messages
Covert Channels Leakage information (e.g. viruses) Subliminal channels Disk space CPU load Subliminal channels Digital signatures Encryption schemes Cryptographic malwares
Covert Computations Computation inside computations Secret design calculations inside a factoring computation Secret physics simulations inside a cryptographic software or devices
Anonymous Communications MIX Networks Electronic voting Anonymous communication Onion Routings Limited anonymous communication Blind signatures Digital cash
Digital Watermarking Secure against known simple attacks Common lossy compressions JPEG, MPEG, … Common signal processing operations Band pass, echo, pitch, noise filters, … Crop, scale, move, reshape, … Specialized attacks
Information Hiding (state of the art) Many schemes were proposed Most of them were broken Use heuristic security Subjective measurements Assume very specific enemy
Broken Schemes (I)
Broken Schemes (II)
Broken Schemes (III)
Broken Schemes (IV)
Cryptography in the 80s Beginning time of open research A lot of schemes proposed Most of them soon broken
Broken Cryptosystems (I) Merkle Hellman 1978-1984 Iterated Knapsack 1978-1984 Lu-Lee 1979-1980 Adiga Shankar 1985-1988 Nieder- reiter 1986-1988 Merlke Hellman Merlke Hellman Lu-Lee Adigar Shankar Neiderreiter Goodman McAuly 1984-1988 Pieprzyk 1985-1988 Chor Rivest 1988-1998 Okamoto 1986-1987 Okamoto 1987-1988 Goodman McAuly Pieprzyk Chor Rivest Okamoto Okamoto
Broken Cryptosystems (II) Matsumoto Imai 1983-1984 Cade 1985-1986 Yagisawa 1985-1986 TMKIF 1986-1985 Luccio Mazzone 1980-1981 Matsumoto Imai Cade Yasigawa Tsujii, Itoh Matsumoto Kurosama Fujioka Luccio Mazzone Kravitz Reed 1982-1982 Rao Nam 1986-1988 Low Degree CG 1982 High Degree CG 1988 Rivest Adleman Dertouzos 1978-1987 ... Kravitz Reed Rao Nam Boyar Krawczyk Rivest Adleman Dertouzos
Proven Secure Schemes Perfectly secure schemes Shannon (1949) Computationally secure schemes Goldwasser and Micali (1982) Rabin (1981)
Perfectly Secure Cryptosystems Shannon’s work (1949) Mathematical proof of security Information theoretic secrecy Enemy with unlimited power Can compute any desired function
Computationally Secure Cryptosystems Rabin (81), Goldwasser & Micali (82) Mathematical proof of security Computational secrecy Enemy with limited time and space Can run in polynomial time Can use polynomial space
Research Goals Fundamental way What are the properties Systematic approach Same as Shannon and Goldwasser’s work What are the properties Hiding Secrecy Authenticity
Fundamental Models Unconditional Security Statistical Security Unlimited enemy Statistical Security Polynomial number of samples Computational Security Polynomial time and space
Information Hiding Properties Hiding property Output must look like the cover Secrecy property No partial information on input message Authenticity property Hard to compute valid output
Unconditional Hiding Definition Requires E: KM C, encryption function K: key set, M: message set, C: cover set Pcover: probability distribution of covers Pc: probability distribution of E(k,m) Requires Pc = Pcover
Statistical Hiding Definition Requires Pcover: probability distribution of covers Pc: probability distribution of E(k,m) n: description length of each cover Requires |Pc - Pcover| is negligible. |Pc - Pcover| < n-d for all d>0 and n>Nd.
Computational Hiding Definition Requires Pcover: probability distribution of covers Pc: probability distribution of E(k,m) n: description length of each cover Requires Pc and Pcover are P-time indistinguishable
Computational Hiding P-time indistinguishable For all P.P.T.M. A, d>0, and n>Nd: Prob(A(Pc)=1) - Prob(A(Pcover)=1) < n-d. Informally speaking No P-time enemy can tell apart Pc and Pcover
Unconditional Secrecy Ciphertext independence: Prob(m|E(k,m)) = Prob(m) Informally no information on message given ciphertext
Statistical Secrecy Negligible advantages: For all m in M, d>0, n>Nd: |Prob(m|E(k,m)) - Prob(m)| < n-d Informally Only negligible amount of information on message leaked when given the ciphertext.
Computational Secrecy Negligible chances: For all P.P.T.M. A: For all m in M, d>0, n>Nd: |Prob(A(E(k,m))=m)| < n-d Informally Only negligible chance of output correct m.
Our Approaches Arbitrary key Restricted key Key = Ciphertext Steganography, watermarking Restricted key Protection of key materials Key = Ciphertext Secret sharing
Our Approaches Arbitrary key distribution Applications E(k,m) is distributed accordingly to Pcover Applications Steganography Digital watermarking Tamper-resistant hardware
Our Approaches Restricted key distribution Applications c = E(k,m) k is distributed accordingly to PK c is distributed accordingly to Pcover Applications No tamper-resistant hardware Protection of key materials
Our Approaches Key = Ciphertext Requires Applications S: MCC (k1,k2) = S(m) Requires k1 and k2 distributed accordingly to Pcover Applications Secret sharing Robustness
Research Progress To understand information hiding Perfect hiding (done) Necessary and sufficient conditions Computational complexity results Constructions of prefect secure schemes Constructions of schemes with non-reliability Computational hiding (under research) Conventional constructions Public key schemes
Perfect Hiding Scheme Condition Algorithms Pcover(c) 1/|M| Setup: produce |M| matrices Ai Disjoint non-zero entries Columns sum up to Pcover Rows sum up to the same Encrypt: E(k,m) distributes accordingly to row Am(k).
Perfect Hiding Scheme Algorithms Message distribution independence Encrypt: c=E(k,m) distributes accordingly to row Am(k). Decrypt: Output m such that Am(k,c)>0. Message distribution independence Hiding implies privacy.
Other aspects Other aspects Extra problem Replacing privacy by authenticity Digital watermarking Extra problem Robustness against modifications Simple modifications General modifications
How to exploit Quadratic residues Decision Diffie-Hellman n = pq S1 = {x2 |x in Zn*} S2 = {x|x in Zn* and J(x)=1} Decision Diffie-Hellman U1 = (g, ga, gb, gab) mod p U2 = (g, ga, gb, gr) mod p
Conclusion Covert channels Our work Very special distribution General distribution Proven security levels
Thank you Questions?