1. Information Hiding & Digital Watermarking
Tri Van Le

2. Outlines Background State of the art Research goals Research plan
Our approaches

3. Background Information hiding Related work Steganography
Digital watermarking
Related work
Covert channels
Anonymous communications

4. Information Hiding Steganography Digital watermarking Invisible inks
Small dots
Letters
Digital watermarking
Copyright information
Tracing information

5. Information Hiding Main idea Steganography Watermarking
Hide messages in a cover
Steganography
Secrecy of messages
Watermarking
Authenticity of messages

6. Covert Channels Leakage information (e.g. viruses) Subliminal channels
Disk space
CPU load
Subliminal channels
Digital signatures
Encryption schemes
Cryptographic malwares

7. Covert Computations Computation inside computations
Secret design calculations inside a factoring computation
Secret physics simulations inside a cryptographic software or devices

8. Anonymous Communications
MIX Networks
Electronic voting
Anonymous communication
Onion Routings
Limited anonymous communication
Blind signatures
Digital cash

9. Digital Watermarking Secure against known simple attacks
Common lossy compressions
JPEG, MPEG, …
Common signal processing operations
Band pass, echo, pitch, noise filters, …
Crop, scale, move, reshape, …
Specialized attacks

10. Information Hiding (state of the art)
Many schemes were proposed
Most of them were broken
Use heuristic security
Subjective measurements
Assume very specific enemy

11. Broken Schemes (I)

12. Broken Schemes (II)

13. Broken Schemes (III)

14. Broken Schemes (IV)

15. Cryptography in the 80s Beginning time of open research
A lot of schemes proposed
Most of them soon broken

16. Broken Cryptosystems (I)
Merkle
Hellman
Iterated
Knapsack
Lu-Lee
Adiga
Shankar
Nieder- reiter
Merlke
Hellman
Merlke
Hellman
Lu-Lee
Adigar
Shankar
Neiderreiter
Goodman McAuly
Pieprzyk
Chor Rivest
Okamoto
Okamoto
Goodman
McAuly
Pieprzyk
Chor
Rivest
Okamoto
Okamoto

17. Broken Cryptosystems (II)
Matsumoto
Imai
Cade
Yagisawa
TMKIF
Luccio
Mazzone
Matsumoto
Imai
Cade
Yasigawa
Tsujii, Itoh
Matsumoto
Kurosama
Fujioka
Luccio
Mazzone
Kravitz
Reed
Rao
Nam
Low
Degree CG
1982
High Degree CG
1988
Rivest
Adleman
Dertouzos
...
Kravitz
Reed
Rao
Nam
Boyar
Krawczyk
Rivest
Adleman
Dertouzos

18. Proven Secure Schemes Perfectly secure schemes
Shannon (1949)
Computationally secure schemes
Goldwasser and Micali (1982)
Rabin (1981)

19. Perfectly Secure Cryptosystems
Shannon’s work (1949)
Mathematical proof of security
Information theoretic secrecy
Enemy with unlimited power
Can compute any desired function

20. Computationally Secure Cryptosystems
Rabin (81), Goldwasser & Micali (82)
Mathematical proof of security
Computational secrecy
Enemy with limited time and space
Can run in polynomial time
Can use polynomial space

21. Research Goals Fundamental way What are the properties
Systematic approach
Same as Shannon and Goldwasser’s work
What are the properties
Hiding
Secrecy
Authenticity

22. Fundamental Models Unconditional Security Statistical Security
Unlimited enemy
Statistical Security
Polynomial number of samples
Computational Security
Polynomial time and space

23. Information Hiding Properties
Hiding property
Output must look like the cover
Secrecy property
No partial information on input message
Authenticity property
Hard to compute valid output

24. Unconditional Hiding Definition Requires
E: KM  C, encryption function
K: key set, M: message set, C: cover set
Pcover: probability distribution of covers
Pc: probability distribution of E(k,m)
Requires
Pc = Pcover

25. Statistical Hiding Definition Requires
Pcover: probability distribution of covers
Pc: probability distribution of E(k,m)
n: description length of each cover
Requires
|Pc - Pcover| is negligible.
|Pc - Pcover| < n-d for all d>0 and n>Nd.

26. Computational Hiding Definition Requires
Pcover: probability distribution of covers
Pc: probability distribution of E(k,m)
n: description length of each cover
Requires
Pc and Pcover are P-time indistinguishable

27. Computational Hiding P-time indistinguishable
For all P.P.T.M. A, d>0, and n>Nd:
Prob(A(Pc)=1) - Prob(A(Pcover)=1) < n-d.
Informally speaking
No P-time enemy can tell apart Pc and Pcover

28. Unconditional Secrecy
Ciphertext independence:
Prob(m|E(k,m)) = Prob(m)
Informally
no information on message given ciphertext

29. Statistical Secrecy Negligible advantages:
For all m in M, d>0, n>Nd:
|Prob(m|E(k,m)) - Prob(m)| < n-d
Informally
Only negligible amount of information on message leaked when given the ciphertext.

30. Computational Secrecy
Negligible chances:
For all P.P.T.M. A:
For all m in M, d>0, n>Nd:
|Prob(A(E(k,m))=m)| < n-d
Informally
Only negligible chance of output correct m.

31. Our Approaches Arbitrary key Restricted key Key = Ciphertext
Steganography, watermarking
Restricted key
Protection of key materials
Key = Ciphertext
Secret sharing

32. Our Approaches Arbitrary key distribution Applications
E(k,m) is distributed accordingly to Pcover
Applications
Steganography
Digital watermarking
Tamper-resistant hardware

33. Our Approaches Restricted key distribution Applications c = E(k,m)
k is distributed accordingly to PK
c is distributed accordingly to Pcover
Applications
No tamper-resistant hardware
Protection of key materials

34. Our Approaches Key = Ciphertext Requires Applications S: MCC
(k1,k2) = S(m)
Requires
k1 and k2 distributed accordingly to Pcover
Applications
Secret sharing
Robustness

35. Research Progress To understand information hiding
Perfect hiding (done)
Necessary and sufficient conditions
Computational complexity results
Constructions of prefect secure schemes
Constructions of schemes with non-reliability
Computational hiding (under research)
Conventional constructions
Public key schemes

36. Perfect Hiding Scheme Condition Algorithms Pcover(c)  1/|M|
Setup: produce |M| matrices Ai
Disjoint non-zero entries
Columns sum up to Pcover
Rows sum up to the same
Encrypt:
E(k,m) distributes accordingly to row Am(k).

37. Perfect Hiding Scheme Algorithms Message distribution independence
Encrypt:
c=E(k,m) distributes accordingly to row Am(k).
Decrypt:
Output m such that Am(k,c)>0.
Message distribution independence
Hiding implies privacy.

38. Other aspects Other aspects Extra problem
Replacing privacy by authenticity
Digital watermarking
Extra problem
Robustness against modifications
Simple modifications
General modifications

39. How to exploit Quadratic residues Decision Diffie-Hellman n = pq
S1 = {x2 |x in Zn*}
S2 = {x|x in Zn* and J(x)=1}
Decision Diffie-Hellman
U1 = (g, ga, gb, gab) mod p
U2 = (g, ga, gb, gr) mod p

40. Conclusion Covert channels Our work Very special distribution
General distribution
Proven security levels

41. Thank you
Questions?