On the Gold Standard for Security of Universal Steganography - - PowerPoint PPT Presentation

On the Gold Standard for Security of Universal Steganography

Sebastian Berndt and Maciej Liśkiewicz

Institute of Theoretical Computer Science, Universität zu Lübeck EUROCRYPT, 2018

Steganography / Subliminal Communication

Modern steganography: popular due to the prisoners’ problem by Simmons (1984) Many steganographic software exist An information-theoretic model: Cachin (1998) The computational model secret-key steganography: Hopper, Langford, and von Ahn (2002), and Katzenbeisser and Petitcolas (2002) (Universal / generic) secure secret-key steganography exists Secure public-key steganography – many problem open

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 2 / 14

Steganography / Subliminal Communication

Modern steganography: popular due to the prisoners’ problem by Simmons (1984) Many steganographic software exist An information-theoretic model: Cachin (1998) The computational model secret-key steganography: Hopper, Langford, and von Ahn (2002), and Katzenbeisser and Petitcolas (2002) (Universal / generic) secure secret-key steganography exists Secure public-key steganography – many problem open

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 2 / 14

Steganography

Encoder Alice Decoder Bob d from channel C d m m Warden Steganography in d?

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

Steganography

Encoder Alice Decoder Bob d from channel C d m m Warden Steganography in d?

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

Steganography

Encoder Alice Decoder Bob d from channel C d m m Warden Steganography in d?

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

Steganography

Encoder Alice Decoder Bob d from channel C d m m Warden Steganography in d?

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

Public-Key Steganography

Security Channels Applicability von Ahn and Hopper 2003 passive universal possible Backes and Cachin 2005 RCCA universal possible Hopper 2005 CCA single constr. channel possible Hopper 2005: Does universal CCA-secure public-key steganograps exist?

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 4 / 14

Public-Key Steganography

Security Channels Applicability von Ahn and Hopper 2003 passive universal possible Backes and Cachin 2005 RCCA universal possible Hopper 2005 CCA single constr. channel possible This work CCA all memoryless channels possible This work CCA universal impossible

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 4 / 14

Public-Key Steganography

Channel and Stegosystem A channel C: a function, that maps every history hist – a sequence of previously seen documents – to a probability distribution on documents A stegosystem S = (S.Gen, S.Enc, S.Dec) on a channel C:

(pk, sk) ← S.Gen(κ) The stegoencoder generates d1, . . . , dl ← S.EncC(pk, m, hist) having an access to the sampling oracle C with history hist The stegodecoder: m′ ← S.Dec(sk, d1 . . . , dl)

S is reliable if w.h.p. S.Dec(sk, S.EncC(pk, m, hist, m)) = m

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 5 / 14

Public-Key Steganography

Channel and Stegosystem A channel C: a function, that maps every history hist – a sequence of previously seen documents – to a probability distribution on documents A stegosystem S = (S.Gen, S.Enc, S.Dec) on a channel C:

(pk, sk) ← S.Gen(κ) The stegoencoder generates d1, . . . , dl ← S.EncC(pk, m, hist) having an access to the sampling oracle C with history hist The stegodecoder: m′ ← S.Dec(sk, d1 . . . , dl)

S is reliable if w.h.p. S.Dec(sk, S.EncC(pk, m, hist, m)) = m

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 5 / 14

Public-Key Steganography

Channel and Stegosystem A channel C: a function, that maps every history hist – a sequence of previously seen documents – to a probability distribution on documents A stegosystem S = (S.Gen, S.Enc, S.Dec) on a channel C:

(pk, sk) ← S.Gen(κ) The stegoencoder generates d1, . . . , dl ← S.EncC(pk, m, hist) having an access to the sampling oracle C with history hist The stegodecoder: m′ ← S.Dec(sk, d1 . . . , dl)

S is reliable if w.h.p. S.Dec(sk, S.EncC(pk, m, hist, m)) = m

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 5 / 14

Public-Key Steganography

Chosen-Covertext Attack Encoder Decoder channel C m Warden Steganography in d? d d1, d2, . . . m1, m2, . . . Chosen-Covertext Attack (CCA): as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack (RCCA): No Replays di is a replay to d if Dec(di) = Dec(d)

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

Public-Key Steganography

Chosen-Covertext Attack Encoder Decoder channel C m Warden Steganography in d? d d1, d2, . . . m1, m2, . . . Chosen-Covertext Attack (CCA): as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack (RCCA): No Replays di is a replay to d if Dec(di) = Dec(d)

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

Public-Key Steganography

Chosen-Covertext Attack Encoder Decoder channel C m Warden Steganography in d? d d1, d2, . . . m1, m2, . . . Chosen-Covertext Attack (CCA): as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack (RCCA): No Replays di is a replay to d if Dec(di) = Dec(d)

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

Public-Key Steganography

Chosen-Covertext Attack Encoder Decoder channel C m Warden Steganography in d? d d1, d2, . . . m1, m2, . . . Chosen-Covertext Attack (CCA): as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack (RCCA): No Replays di is a replay to d if Dec(di) = Dec(d)

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

Public-Key Steganography

Chosen-Covertext Attack Encoder Decoder channel C m Warden Steganography in d? d d1, d2, . . . m1, m2, . . . Chosen-Covertext Attack (CCA): as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack (RCCA): No Replays di is a replay to d if Dec(di) = Dec(d)

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

Public-Key Steganography

Chosen-Covertext Attack Encoder Decoder channel C m Warden Steganography in d? d d1, d2, . . . m1, m2, . . . Chosen-Covertext Attack (CCA): as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack (RCCA): No Replays di is a replay to d if Dec(di) = Dec(d)

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

Public-Key Steganography

CCA- Security

CCA-security game: CCA(Ward, S, C, κ)

1: (pk, sk) ← S.Gen(1κ) 2: (m∗, hist∗) ← Ward.FindDecsk(pk) 3: b ← {0, 1} 4: if b = 0 then 5:

d∗ ← S.EncC(pk, m∗, hist∗)

6: else 7:

d∗ ← Cl

hist∗

8: b′ ← Ward.GuessDecsk,d∗ (pk, m∗, hist∗, d∗) 9: return b = b′

S is called CCA-secure against C if for every Ward the advantage | Pr[CCA(Ward, S, C, κ) = true] − 1/2| ≤ negl

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 7 / 14

Public-Key Steganography

CCA- Security

CCA-security game: CCA(Ward, S, C, κ)

1: (pk, sk) ← S.Gen(1κ) 2: (m∗, hist∗) ← Ward.FindDecsk(pk) 3: b ← {0, 1} 4: if b = 0 then 5:

d∗ ← S.EncC(pk, m∗, hist∗)

6: else 7:

d∗ ← Cl

hist∗

8: b′ ← Ward.GuessDecsk,d∗ (pk, m∗, hist∗, d∗) 9: return b = b′

S is called CCA-secure against C if for every Ward the advantage | Pr[CCA(Ward, S, C, κ) = true] − 1/2| ≤ negl

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 7 / 14

CCA-secure stegosystem for memoryless channels

UDP network packets: in arbitrary order (memoryless) Formally, we say that a channel C is memoryless, if Chist = Chist′ for all hist, hist′, i. e. if the history has no effect on the channel distribution. Theorem ∃ S ∀C ∈ Memoryless : S is CCA-secure over C. Prevent document replacement with hash-value Prevent reordering of documents with PRP Embed: message + hash-value + PRP-key in a sequence of documents d1, . . . , dN Problem: d1, . . . , dN should not deviate from random permutation

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 8 / 14

CCA-secure stegosystem for memoryless channels

UDP network packets: in arbitrary order (memoryless) Encoder Decoder P1 P2 P3 P4 Formally, we say that a channel C is memoryless, if Chist = Chist′ for all hist, hist′, i. e. if the history has no effect on the channel distribution. Theorem ∃ S ∀C ∈ Memoryless : S is CCA-secure over C. Prevent document replacement with hash-value Prevent reordering of documents with PRP Embed: message + hash-value + PRP-key in a sequence of documents d1, . . . , dN Problem: d1, . . . , dN should not deviate from random permutation

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 8 / 14

CCA-secure stegosystem for memoryless channels

UDP network packets: in arbitrary order (memoryless) Encoder Decoder P4 P2 P1 P3 Formally, we say that a channel C is memoryless, if Chist = Chist′ for all hist, hist′, i. e. if the history has no effect on the channel distribution. Theorem ∃ S ∀C ∈ Memoryless : S is CCA-secure over C. Prevent document replacement with hash-value Prevent reordering of documents with PRP Embed: message + hash-value + PRP-key in a sequence of documents d1, . . . , dN Problem: d1, . . . , dN should not deviate from random permutation

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 8 / 14

CCA-secure stegosystem for memoryless channels

UDP network packets: in arbitrary order (memoryless) Encoder Decoder P4 P2 P1 P3 Formally, we say that a channel C is memoryless, if Chist = Chist′ for all hist, hist′, i. e. if the history has no effect on the channel distribution. Theorem ∃ S ∀C ∈ Memoryless : S is CCA-secure over C. Prevent document replacement with hash-value Prevent reordering of documents with PRP Embed: message + hash-value + PRP-key in a sequence of documents d1, . . . , dN Problem: d1, . . . , dN should not deviate from random permutation

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 8 / 14

CCA-secure stegosystem for memoryless channels

UDP network packets: in arbitrary order (memoryless) Encoder Decoder P4 P2 P1 P3 Formally, we say that a channel C is memoryless, if Chist = Chist′ for all hist, hist′, i. e. if the history has no effect on the channel distribution. Theorem ∃ S ∀C ∈ Memoryless : S is CCA-secure over C. Prevent document replacement with hash-value Prevent reordering of documents with PRP Embed: message + hash-value + PRP-key in a sequence of documents d1, . . . , dN Problem: d1, . . . , dN should not deviate from random permutation

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 8 / 14

CCA-secure stegosystem for memoryless channels

Obtaining biased ciphertexts Let N, N0, L be integers, with N0 ≥ L and N − N0 ≥ L Let DN,N0,L be a distribution over {0, 1}L defined as follows:

given: N elements N0 labeled with 0 N − N0 with 1 draw randomly a sequence of L elements (without replacements) look at the generated bitstring b1 . . . bL determined by the labels

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 9 / 14

CCA-secure stegosystem for memoryless channels

Obtaining biased ciphertexts Proposition If doubly-enhanced trapdoor permutations exist, then there is a secure public-key cryptosystem (PKES∗.EncN,N0, PKES∗.DecN,N0), with ciphertexts of length L, such that its ciphertexts are indistinguishable from the probability distribution DN,N0,L whenever N and N0 N0 ≥ L and N − N0 ≥ L.

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 10 / 14

CCA-secure stegosystem for memoryless channels

Ordering documents

generate(D, f, b1, . . . , bL, kP) D: set with |D| = N, f: hash function, b1, . . . , bL bits, kP: PRP-key

1: let D0 = {d ∈ D | f(d) = 0} and D1 = {d ∈ D | f(d) = 1} 2: for i = 1 to L do 3:

di := arg mind∈Dbi {EvalkP(d)}

4:

Dbi := Dbi \ {di}

5: let D′ = D0 ∪ D1 6: for i = L + 1, . . . , N do 7:

di := arg mind∈D′{EvalkP(d)}

8:

D′ := D′ \ {di}

9: return d1, d2, . . . , dN

Notice: f(d1) = b1, f(d2) = b2, . . . , f(dL) = bL

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 11 / 14

CCA-secure stegosystem for memoryless channels

Ordering documents

generate(D, f, b1, . . . , bL, kP) D: set with |D| = N, f: hash function, b1, . . . , bL bits, kP: PRP-key

1: let D0 = {d ∈ D | f(d) = 0} and D1 = {d ∈ D | f(d) = 1} 2: for i = 1 to L do 3:

di := arg mind∈Dbi {EvalkP(d)}

4:

Dbi := Dbi \ {di}

5: let D′ = D0 ∪ D1 6: for i = L + 1, . . . , N do 7:

di := arg mind∈D′{EvalkP(d)}

8:

D′ := D′ \ {di}

9: return d1, d2, . . . , dN

Notice: f(d1) = b1, f(d2) = b2, . . . , f(dL) = bL

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 11 / 14

CCA-secure stegosystem for memoryless channels

The Encoder

Enc(pk∗, m) pk∗ = (pk, f): public key; m: message; access to channel C

1: let L = length of ciphertexts of PKES∗ and N = 8L

//preprocessing:

2: D0 := ∅ and D1 := ∅ 3: for j = 1 to N do 4:

sample dj from C; let Df(dj) := Df(dj) ∪ {dj}

5: N0 = |D0| 6: if |D0 ∪ D1| < N or N0/N ∈ [1/3, 2/3] then return d1, . . . , dN and halt

//main phase:

7: kH ← hash key ; kP ← PRP key 8: h := HkH(lex(D0 ∪ D1)) 9: m∗ := m || kH || kP || h 10: b1, b2, . . . , bL ← PKES∗.EncN,N0(pk, m∗) 11: let d := generate(D0 ∪ D1, f, b1, . . . , bL, kP) 12: return d

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 12 / 14

An Impossibility Result

TCP network packets: built-in counter (0-memoryless) Encoder Decoder Pakete P4

4

P3

3

P2

2

P1

1

Formally: a channel C is 0-memoryless, if Chist = Chist′ for all hist, hist′ such that | hist | = | hist′ |. Theorem ∀ S ∃C ∈ 0-Memoryless : S is not CCA-secure over C. Corollary There exists not universal CCA-secure stegosystem.

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 13 / 14

An Impossibility Result

TCP network packets: built-in counter (0-memoryless) Encoder Decoder Pakete P4

4

P3

3

P2

2

P1

1

Formally: a channel C is 0-memoryless, if Chist = Chist′ for all hist, hist′ such that | hist | = | hist′ |. Theorem ∀ S ∃C ∈ 0-Memoryless : S is not CCA-secure over C. Corollary There exists not universal CCA-secure stegosystem.

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 13 / 14

An Impossibility Result

TCP network packets: built-in counter (0-memoryless) Encoder Decoder Pakete P4

4

P3

3

P2

2

P1

1

Formally: a channel C is 0-memoryless, if Chist = Chist′ for all hist, hist′ such that | hist | = | hist′ |. Theorem ∀ S ∃C ∈ 0-Memoryless : S is not CCA-secure over C. Corollary There exists not universal CCA-secure stegosystem.

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 13 / 14

An Impossibility Result

TCP network packets: built-in counter (0-memoryless) Encoder Decoder Pakete P4

4

P3

3

P2

2

P1

1

Formally: a channel C is 0-memoryless, if Chist = Chist′ for all hist, hist′ such that | hist | = | hist′ |. Theorem ∀ S ∃C ∈ 0-Memoryless : S is not CCA-secure over C. Corollary There exists not universal CCA-secure stegosystem.

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 13 / 14

An Impossibility Result

TCP network packets: built-in counter (0-memoryless) Encoder Decoder Pakete P4

4

P3

3

P2

2

P1

1

Formally: a channel C is 0-memoryless, if Chist = Chist′ for all hist, hist′ such that | hist | = | hist′ |. Theorem ∀ S ∃C ∈ 0-Memoryless : S is not CCA-secure over C. Corollary There exists not universal CCA-secure stegosystem.

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 13 / 14

Summary

We consider the common computational model for steganography and demonstrate a clear dichotomy result for universal public-key steganography Dedić, Itkis, Reyzin, and Russell (2009) show that provable secure universal steganography needs a huge number of sample documents to embed long secret messages However, such a limitation does not necessarily restrict applicability of steganography A recent example: successful Algorithm Substitution Attacks (ASAs) against symmetric encryption schemes (Bellare et al. 20014, 2015) or digital signature schemes (Ateniese et al. 2015) etc. correspond to secure stegosystems on certain channels and vice versa (Bernd, L. 2017)

On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 14 / 14