Upload
erik-poole
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Information Hiding&
Digital Watermarking
Tri Van Le
Outlines
• Background• State of the art• Research goals• Research plan• Our approaches
Background
• Information hiding– Steganography– Digital watermarking
• Related work– Covert channels– Anonymous communications
Information Hiding
• Steganography– Invisible inks– Small dots– Letters
• Digital watermarking– Copyright information– Tracing information
Information Hiding
• Main idea– Hide messages in a cover
• Steganography– Secrecy of messages
• Watermarking– Authenticity of messages
Covert Channels
• Leakage information (e.g. viruses)– Disk space– CPU load
• Subliminal channels– Digital signatures– Encryption schemes– Cryptographic malwares
Covert Computations
• Computation inside computations– Secret design calculations inside a
factoring computation– Secret physics simulations inside a
cryptographic software or devices
Anonymous Communications
• MIX Networks– Electronic voting– Anonymous communication
• Onion Routings– Limited anonymous communication
• Blind signatures– Digital cash
Digital Watermarking
• Secure against known simple attacks– Common lossy compressions
• JPEG, MPEG, …
– Common signal processing operations• Band pass, echo, pitch, noise filters, …• Crop, scale, move, reshape, …
• Specialized attacks
Information Hiding(state of the art)
• Many schemes were proposed– Most of them were broken
• Use heuristic security– Subjective measurements– Assume very specific enemy
Broken Schemes (I)
Name Author(s) Pro-BroContraband Zimmerman 1996-1999
Echo Hiding Gruhl et. Al. 1996-1998
EIKONA Pitas 1996-1998
EzStego Machado 1994-1999
Fravia Fravia 1995-1999
Broken Schemes (II)
Name Author(s) Pro/BroHide and Seek Latham 1998-1999
J K_PGS Kutter & J ordan 1997-1998
J Steg Korejwa 1998-1999
NEC Method Cox et. Al. 1996-1998
PGMStealth Rinne 1994-1999
Broken Schemes (III)
Name Author(s) Pro/BroPictureMarc Rhoads 1997-1998
Piilo Aura 1995-1999
Snow Kwan 1996-1999
Steganos Steganos GmbH 1996-1999
Stegodos Wolf 1995-1999
Broken Schemes (IV)
Name Author(s) Pro/BroS-Tools Brown 1995-1999
SureSign Signum Tech 1997-1998
SysCoP Koch & Zhao 1995-1998
White noise storm Arachelian 1994/1999
Cryptography in the 80s
• Beginning time of open research• A lot of schemes proposed• Most of them soon broken
Broken Cryptosystems (I)
MerkleHellman
1978-1984
IteratedKnapsack
1978-1984
Lu-Lee
1979-1980
MerlkeHellman
MerlkeHellman
Lu-Lee
AdigaShankar
1985-1988
AdigarShankar
Nieder-reiter
1986-1988
Neiderreiter
GoodmanMcAuly
1984-1988
GoodmanMcAuly
Pieprzyk
1985-1988
Pieprzyk
ChorRivest
1988-1998
ChorRivest
Okamoto
1986-1987
Okamoto
Okamoto
1987-1988
Okamoto
Broken Cryptosystems (II)
MatsumotoImai
1983-1984
Cade
1985-1986
Yagisawa
1985-1986
MatsumotoImai
Cade Yasigawa
TMKIF
1986-1985
Tsujii, ItohMatsumotoKurosama
Fujioka
LuccioMazzone
1980-1981
LuccioMazzone
KravitzReed
1982-1982
KravitzReed
RaoNam
1986-1988
RaoNam
LowDegree
CG
1982
HighDegree
CG
1988
RivestAdleman
Dertouzos
1978-1987
RivestAdleman
Dertouzos
KrawczykBoyar
...
Proven Secure Schemes
• Perfectly secure schemes– Shannon (1949)
• Computationally secure schemes – Goldwasser and Micali (1982)– Rabin (1981)
Perfectly Secure Cryptosystems
• Shannon’s work (1949)– Mathematical proof of security– Information theoretic secrecy
• Enemy with unlimited power– Can compute any desired function
Computationally Secure Cryptosystems
• Rabin (81), Goldwasser & Micali (82)– Mathematical proof of security– Computational secrecy
• Enemy with limited time and space– Can run in polynomial time– Can use polynomial space
Research Goals
• Fundamental way– Systematic approach– Same as Shannon and Goldwasser’s
work
• What are the properties– Hiding– Secrecy – Authenticity
Fundamental Models
• Unconditional Security– Unlimited enemy
• Statistical Security– Polynomial number of samples
• Computational Security– Polynomial time and space
Information Hiding Properties
• Hiding property– Output must look like the cover
• Secrecy property– No partial information on input
message
• Authenticity property– Hard to compute valid output
Unconditional Hiding
• Definition– E: KM C, encryption function– K: key set, M: message set, C: cover
set
– Pcover: probability distribution of covers
– Pc: probability distribution of E(k,m)
• Requires– Pc = Pcover
Statistical Hiding
• Definition– Pcover: probability distribution of covers
– Pc: probability distribution of E(k,m)
– n: description length of each cover
• Requires– |Pc - Pcover| is negligible.
– |Pc - Pcover| < n-d for all d>0 and n>Nd.
Computational Hiding
• Definition– Pcover: probability distribution of covers
– Pc: probability distribution of E(k,m)
– n: description length of each cover
• Requires– Pc and Pcover are P-time
indistinguishable
Computational Hiding
• P-time indistinguishable– For all P.P.T.M. A, d>0, and n>Nd:
Prob(A(Pc)=1) - Prob(A(Pcover)=1) < n-d.
– Informally speaking• No P-time enemy can tell apart Pc and
Pcover
Unconditional Secrecy
• Ciphertext independence:– Prob(m|E(k,m)) = Prob(m)
• Informally• no information on message given
ciphertext
Statistical Secrecy
• Negligible advantages:– For all m in M, d>0, n>Nd:
• |Prob(m|E(k,m)) - Prob(m)| < n-d
– Informally• Only negligible amount of information on
message leaked when given the ciphertext.
Computational Secrecy
• Negligible chances:– For all P.P.T.M. A:
– For all m in M, d>0, n>Nd:• |Prob(A(E(k,m))=m)| < n-d
– Informally• Only negligible chance of output correct
m.
Our Approaches
• Arbitrary key– Steganography, watermarking
• Restricted key– Protection of key materials
• Key = Ciphertext– Secret sharing
Our Approaches
• Arbitrary key distribution– E(k,m) is distributed accordingly to
Pcover
• Applications– Steganography– Digital watermarking– Tamper-resistant hardware
Our Approaches
• Restricted key distribution– c = E(k,m)
– k is distributed accordingly to PK
– c is distributed accordingly to Pcover
• Applications– No tamper-resistant hardware– Protection of key materials
Our Approaches
• Key = Ciphertext– S: MCC– (k1,k2) = S(m)
• Requires– k1 and k2 distributed accordingly to Pcover
• Applications– Secret sharing– Robustness
Research Progress
• To understand information hiding– Perfect hiding (done)
• Necessary and sufficient conditions• Computational complexity results• Constructions of prefect secure schemes• Constructions of schemes with non-reliability
– Computational hiding (under research)• Conventional constructions• Public key schemes
Perfect Hiding Scheme
• Condition– Pcover(c) 1/|M|
• Algorithms– Setup: produce |M| matrices Ai
– Disjoint non-zero entries– Columns sum up to Pcover
– Rows sum up to the same
– Encrypt:– E(k,m) distributes accordingly to row Am(k).
Perfect Hiding Scheme
• Algorithms– Encrypt:
– c=E(k,m) distributes accordingly to row Am(k).
– Decrypt:– Output m such that Am(k,c)>0.
• Message distribution independence– Hiding implies privacy.
Other aspects
• Other aspects– Replacing privacy by authenticity– Digital watermarking
• Extra problem– Robustness against modifications– Simple modifications– General modifications
How to exploit
• Quadratic residues– n = pq
– S1 = {x2 |x in Zn*}
– S2 = {x|x in Zn* and J(x)=1}
• Decision Diffie-Hellman– U1 = (g, ga, gb, gab) mod p
– U2 = (g, ga, gb, gr) mod p
Conclusion
• Covert channels– Very special distribution
• Our work– General distribution– Proven security levels
Thank you
• Questions?