7/29/2019 A Steganographic Scheme Based on Chaos-2007

1/5

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007 1325

Correspondence

On the Security of A Steganographic Scheme

for Secure Communications Based on the Chaos

and the Euler TheoremRainer Bhme and Christian Keiler

AbstractThis paper contains a security analysis of the construction ofa public key steganographic system based on chaos theory and the Euler

theorem (PKS-CE) as proposed by Lou and Sung in a previous issue ofthis transactions. Our analysis results in attack strategies on two differentlayers: first, we identify weaknesses of the embeddingfunction, whichallow

a passive warden to tell steganographic images from clean carriers apart.Second, we show that the allegedly asymmetric trap-door function in factcan be efficiently inverted solely with the knowledge of its public parame-ters, thus revealing the secret message as plain text to a passive adversary.Experimental results from a re-implementation further indicate that theclaimed robustness of the embeddedmessageagainsttransformations of the

carrier medium was far too optimistic. Finally, we demonstrate that a se-cure alternative system can easily be constructed from standard primitivesif the strong assumptions made in PKS-CE for the mutual key exchange

can actually be fulfilled.

Index TermsInformation hiding, public key steganography, security

analysis, steganalysis.

I. INTRODUCTION

Steganographic techniques as described by Simmons [11] enable

covered message exchange over unsuspicious communication chan-

nels. Their security can be measured by the difficulty to detect the mere

existence of hidden communication in a public channel. An attack is

successful and a steganographic method considered as broken if the ad-versary is able to tell steganographic communication from clean traffic

apart with a probability of success better than random guessing.

In the baseline case, the communication partners share a secret key.

The majority of known steganographic algorithms hence belongs to the

class of secret key steganography (SKS). Anderson and Petitcolas [1]

firstdefinedpublickeysteganography(PKS)analogouslytoasymmetric

(public key)cryptography. Thispaper contains a securityanalysisof one

specificschemeforpublickeysteganographyproposedbyLouandSung

[10], further referred to as PKS-CE. In contrast to theoretical work on

PKS in the literature (see [2], [9], and [12]), Lou and Sungs scheme

is intended to be ready for implementation. It also differs from prior

art in the choice of the cryptographic operation. A generic approach to

PKS is to embed the entire bit stream of an asymmetrically encrypted

messagewithanSKSembeddingoperation,withtheexceptionthatallitsparameters aremadepublic (i.e. arecommonly shared). Louand Sungs

construction, however, determines the embeddingposition ofindividual

message bits with an asymmetric mapping function.

Before advancing to the security analysis, we recall the construction

of PKS-CE, as visualized in Fig. 1. First, message M is transformed to

Manuscript received December 22, 2005; revised April3, 2007. The associateeditor coordinating the review of this manuscript and approving it for publica-tion was Dr. Ching-Yung Lin.

R. Bhme is with the Institute of Systems Architecture, Technische Univer-sitt Dresden, 01062 Dresden, Germany (e-mail: rainer.boehme@tu-dresden.de).

C. Keiler is withthe SignsoftGmbH, 01127 Dresden, Germany (e-mail: chris-tian.keiler@signsoft.com).

Digital Object Identifier 10.1109/TMM.2007.902898

Fig. 1. Block diagram of Lou and Sungs PKS-CE.

a message matrix representation (MMR). This transformation can be

complemented with an optional error-correcting code (ECC). A trap-

door mapping function Map is applied on each matrix coordinate ( i ; j )

to compute the position in the carrier matrix representation (CMR).

This function consists of two nested mapping operations, which take

a coordinate( i ; j )

, the secret key of the senderk

S S

and the public

key of the recipient kP R

to compute a corresponding embedding po-

sition ( i 3 ; j 3 ) in the carrier. The embedding operation F returns the

steganogram. It works on individual bits and it is applied with globalparameters only.

After the transmission of the steganogram to the recipient, they ex-

tract the carrier message representation ( C M R 3 ) . The message matrix

representation M M R 3 can be recovered with theinversemappingfunc-

tionM a p

0 1 using the public key of the senderk

P S

and the secret key

of the recipient kS R

M a p : ( i ; j ; k

S S

; k

P R

; S ) 7! ( i

3

; j

3

)

M a p

0 1

: ( i

3

; j

3

; k

P S

; k

S R

; S ) 7! ( i

; j

) (1)

S is a global parameter. The message is obtained after linearization and

optional error decoding ( E C C 0 1 ) .

Our security analysis is structured as follows: Section II explains

details of the embedding function before its weaknesses are pointedout and backed with experimental evidence in Section III. Accordingly,

Section IV deals with the mapping function followed by an analysis in

Section V. Before we conclude, and as a reaction to the weaknesses

identified, a more secure alternative construction based on standard

cryptographic primitives is sketched in Section VI.

II. DESCRIPTION OF THE EMBEDDING FUNCTION

The choice of an embedding function is always specific to the prop-

erties of the carrier medium. PKS-CE is designed for grayscale images

stored as a matrix of intensity values. The embedding function takes an

embedding position ( i 3 ; j 3 ) and the value of one message bit m( i ; j )

as arguments and alters the carrier so that the resulting steganogram

contains the semantic of the message bit. Obviously, this modification

1520-9210/$25.00 2007 IEEE

7/29/2019 A Steganographic Scheme Based on Chaos-2007

2/5

1326 IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007

Fig. 2. Relation of a pixel to its local neighborhood.

should neither be perceptible to visual inspection nor alter the statis-

tical properties of carrier media. To achieve imperceptibility, PKS-CE

adaptively takes into account the local neighborhood of( i

3

; j

3

)

with

intensityx

( i ; j )

, as shown in Fig. 2. PKS-CE defines three control

variablesl

(

i ; j

)

(upper left),r

(

i ; j

)

(lower right) anda

(

i ; j

)

(sur-round), which average the neighborhood intensities

l

( i ; j )

=

1

3

x

( i 0 1 ; j 0 1 )

+ x

( i ; j 0 1 )

+ x

( i 0 1 ; j )

r

( i ; j )

=

1

3

x

( i + 1 ; j )

+ x

( i ; j + 1 )

+ x

( i + 1 ; j + 1 )

a

( i ; j )

=

1

2

l

( i ; j )

+ r

( i ; j )

: (2)

Let t be a global parameter for the embedding strength. We shall call

pixel x( i ; j )

at position ( i 3 ; j 3 ) center pixel and omit the indices for

the sake of brevity. The embedding process distinguishes three possible

cases.

First, the center pixel has a homogenous neigborhood relative tot

if j l 0 r j 3 1 t . In this case, a zero bit is embedded by subtracting

t from a ; and a one by adding t to a . Second, the center pixel is part

of a downward slope if j l 0 r j > 3 1 t and l > r . In this case, for a

zero, the resulting pixel is set close to the higher neighbors, precisely

tol 0 t

. In turn, a one is embedded by setting the pixel close to the

lower neighbors r + t . Third, for an upward slope, where j l 0 r j > 3 1 t

and l < r , the assignment of zeros and ones is inverse to the second

case with l now representing the lower neighbors and r the higher ones.

Hence, the resulting pixel isl + t

for zeros andr 0 t

for ones.

The extraction function F 0 1 works accordingly. It first determines

whether the decoded pixel position( i

; j

)

is in a homogenous neig-

borhood relative to t . If so, a comparison whether the center pixels in-

tensity is smaller or equal thana

( i ; j )

reveals the message bit value.

Otherwise the extraction function checks whether the center pixels in-

tensity is closer tol

( i ; j ) or tor

( i ; j ) before deciding between zeroand one in a second step.

There are several sources for bit errors in steganographic communi-

cation. On the transmission channel, marginal changes in the intensity,

either caused by random distortions or by an active adversary trying

to prevent steganographic communication, may destroy the stegano-

graphic content. Another source of error is specific to this embedding

function and occurs even in perfect channels: if two embedding posi-

tions fall next to each other, wrong extraction results may occur due to

the influence of the second embedding on the neighborhood of the first.

The PKS-CE scheme proposes the error correcting code to cope with

any of these errors.

The impact of errors from subsequent embedding in the same neigh-

borhood can be measured experimentally. We embed 875 bits into each

of 100 8-bit grayscale test images sized 253 2 253 pixels [i.e., the em-

bedding rate is as low as 0.014 bits per pixel (bpp)], at positions given

TABLE IEXPERIMENTAL RESULTS FOR ATTACKS ON THE EMBEDDING FUNCTION

Average share of t -pixels and average edge length (in pixels) of the largest

square withoutt

-pixels. Averages are computed over 100 images for plain

carriers and steganograms.

by the PKS-CE mapping function and then count the number of suc-

cessful extractions. Fort = 1

we found 9.95 bit errors( = 1 : 1 4 % )

on

average across images. With an error correcting codeReed-Solomon

RS(31,25), as proposed in [10]the error rate declined somewhat to

7.60( = 0 : 8 7 % )

on average.

III. WEAKNESSES OF THE EMBEDDING FUNCTIONIn steganography, unlike for some watermarking applications, it is

reasonable to adhere to Kerckhoffs principle and assume that an ad-

versary has full knowledge of the functioning of the steganographic

system except for its secret keys [1], [8]. This is not only regarded as

a good practice to develop truly secure algorithms, but also follows di-

rectly from the principles of public key steganographic systems, which

aim at avoiding obscurity. If their secure application depends on any

additional secrets shared between sender and recipient, the extra effort

to construct PKS as opposed to far simpler SKS would be rendered

useless. Therefore, we deem it justified to assume that the adversary

knows all public and global parameters of the concrete implementa-

tion of PKS-CE in a specific communication context.1

The idea of this steganalysis exploits the deterministic embedding

equations specified in the embedding function. Since the relation be-

tween pixels and their neighborhood is fixed in the steganogram, an

attacker can evaluate this relation for each pixel in an image. He or

she can further infer the existence of steganographic content from an

atypical high number of pixels that exactly fulfill one of the embedding

equations.

Consequently, we define the notiont

-pixel as pixel where one of the

embedding equations between the pixel and its neighborhood holds for

a given parametert

. This corresponds to the following formal expres-

sion:l

( i ; j )

0 r

( i ; j )

3 1 t x

( i ; j )

a

( i ; j )

6 t

_ l

( i ; j )

0 r

( i ; j )

> 3 1 t

x

( i ; j )

l

( i ; j )

6 t _ x

( i ; j )

r

( i ; j )

6 t : (3)

By applying this criterion on a large number of test images, both

plain carrier and steganograms, we found a stable share of t -pixels,

which depends on parametert

and the embedding ratio. As reported in

Table I, plain carriers contain fewer t -pixels than steganograms. Thus,

forsuitable settings oft , a simplecriterion based onthe share oft -pixels

yields a reliable stego detector.

If the mere number doesnot discriminate sufficiently, then the spatial

distribution oft

-pixels can be evaluatedto improve the detection power.

Since the occurrence of t -pixels in plain carrier images is correlated

with the image structure, there exist regions with higher concentration

of t -pixels as well as regions without any. Steganographic modifica-

tions, however, appear randomly in the entire space of the CMR. This

1

Note that most weaknesses would still allow for successful attacks even ifthe exact values of global parameterssuch as t were unknown, as missingparameters could be efficiently estimated by the adversary.

7/29/2019 A Steganographic Scheme Based on Chaos-2007

3/5

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007 1327

Fig. 3. Distribution oft

-pixels: (a) original, (b) filtered image without embed-ding, and (c) filtered image with small capacity stego message.

causest

-pixels in the steganogram to appear regardless of the image

structure. Fig. 3 illustrates the distribution of t -pixels in one example

grayscale image by applying a filter that visualizes the positions of

t -pixels for t = 1 in a clean image and [cf. Fig. 3(b)] a steganogramwith about 0.1 bits per pixel payload [cf. Fig. 3(c)]. It is also visible

that the mapping function reduces the set of possible embedding posi-

tions to the CMR area (see below in Section V). An easy measure that

can be used as a stego-detector is the maximum square area within the

dimension of the CMR that does not contain any t -pixel. This value dif-

fers considerably between plain carriers and steganograms, as reported

in columns 4 and 5 of Table I. The performance in terms of detection

rate and false positives of stego detectors using the above described

methods is given by receiver operating characteristics (ROC) charts in

Fig. 4. The charts show that the spatial criterion allows for perfect sep-

aration for t 2 f 6 ; 1 2 g and is still highly reliable for t = 1 .

The original paper also claimed a sort of robustness of PKS-CE

against noise in the intensity values of the steganogram due to channeldisturbance or active tampering. To verify the results, a re-implemen-

tation of the scheme has been used to evaluate the robustness against

Gaussian noise with zero mean and standard deviation in the range of

( 1 = 1 2 ) 1 t

to9 1 t

. Following the description in [10], a Reed-Solomon

code RS(31,25) has been employed as ECC. The results of these ex-

periments (Table II) show that even very subtle noise causes a high

number of uncorrectable bit errors. The robustness increases somewhat

for higher values oft

, but at the same time the probability for heavily

visible artifacts soars.

In the following, we will show why it will not be sufficient to fix the

weaknesses of the embedding function to make the scheme secure.

IV. DESCRIPTION OF THE MAPPING FUNCTION

Function Map is supposed to be an asymmetric cryptographic func-

tion, which is based on the Euler theorem and chaos theory. Since the

Fig. 4. ROC curvesfor different valuesoft

and for different detection methods;results from experiments on 100 test images with an average embedding rate of0.1 bpp. Notethatthe scale of false positives has been cut in(b) to make the verysmall error rates visible. (a) Detector based on share of

t

-pixels. (b) Detector

based on spatial distribution of t -pixels.

TABLE IIEXPERIMENTAL RESULTS ON THE ROBUSTNESS OF THE EMBEDDING FUNCTION

Mean error rates for additive Gaussian noise (embedding rate as low as 0.002

bpp) and RS(31,25) error correction.

original publication is not entirely clear in the description of and the

rationales behind the design of the mapping function, the following

discussion has to be considered as a common sense interpretation of

how the scheme works.

ThePKS-CE scheme differs from the majority of other approachesto

PKS by its strong assumptions for the key exchange: even for one-way

communication, both sender and recipient have to transmit the public

part of their key pair to the other party authentically. How this mutual

key exchange can be realized secretly is not considered in the original

publication and thus beyond the scope of this paper.

7/29/2019 A Steganographic Scheme Based on Chaos-2007

4/5

1328 IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007

TABLE IIISCOPE OF CRYPTO PARAMETERS

For the key generation, both sender and recipient independently

chose a public moduln

S

andn

R

, respectively. These numbers ought

to be semi-prime to ensure that the Euler symbols ' ( nS

) and ' ( nR

)

can be computed effectively as' ( u 1 v ) = ( u 0 1 ) ( v 0 1 )

with

knowledge of the (secret) prime factors u and v . Both parties choose

their secret keysk

S S

andk

S R

at random in the range

s e n d e r : ' ( n

S

) > k

S S

> 0

r e c i p i e n t : ' ( n

R

) > k

S R

> 0 :

(4)

Then the public parts are given as differences to the Euler symbols

s e n d e r : k

P S

= ' ( n

S

) 0 k

S S

r e c i p i e n t : k

P R

= ' ( n

R

) 0 k

S R

: (5)

Table III summarizes all relevant parameters of the mapping func-

tion classified by their scope of knowledge (secret, public, global).

Global parameters are constant for all communication relations. The

two primesp

1

andp

2

are both relatively prime ton

S

andn

R

.2 Integer

q > 2 is another global parameter to seed the chaotic mapping.

Parameters p1

, p2

and q are used to build a matrix Q and a so-called

stego-matrixS

as

Q =

1 1

q q + 1

; a n d S = Q 2

p

1

0

0 p

2

2 Q

0 1

: (6)

Later in the mapping function, matrix S needs to be exponentiated.

This is not difficult due to its special structure. As shown in [10, eq.

(6)] it reduces to the exponentiation of scalars

S

= Q 2

p

1

0

0 p

2

2 Q

0 1

: (7)

We need another notation because PKS-CE only uses exponentiation

in rings of integers modulo a number. SoS

means that the exponen-

tiation to the power of is computed modulo .

With the above prerequisites, we can study the basic trap-door map-

ping operation in (8) 3

S

' ( )

Q 2

p

' ( )

1

0

0 p

' ( )

2

2 Q

0 1

( m o d

)

Q 2

1 0

0 1

2 Q

0 1

( m o d )

Q 2 Q

0 1

( m o d )

1 0

0 1

( m o d ) : (8)

To encrypt an MMRmessage position with the coordinates( i ; j )

to a

CMR position with the coordinates( i

3

; j

3

)

, the sender has to use their

2The last condition is easy to fulfill as n and n are semi-prime; in the veryunlikely case that a communication partner chooses a secret parameter equal toa global one, the key generation algorithm has to be repeated.

3

The original paper refers to another variableN

as the public largenumber in the RSA cryptosystem ([10, p. 503])presumedly anothersemi-primewhich can be eliminated analytically.

secret keyk

S S

and the recipients public key kP R

as follows (without

loss of generality, we assumen

S

< n

R

):

M a p :

( i

3

; j

3

) S

k

n

2 S

k

n

2 ( i ; j ) ( m o d n

S

) ( m o d n

R

) :

(9)

Note that the multiplication and modulo operations were not explicitly

defined in the original paper, but the term applyingS

does not allowany other interpretation. As a consequence of the modulo operations,

the dimension of CMR is bound to the infimum of nS

andn

R

[see

Fig. 1 and Fig. 3(c)].

The decryption (i.e., reverse mapping) of( i 3 ; j 3 ) to the original mes-

sage position( i

; j

)

uses the remaining parameters, namely the public

key of the senderk

P S

and the secret key of the recipientk

S R

M a p

0 1

:

( i

; j

) S

k

n

2 S

k

n

2 ( i

3

; j

3

) ( m o d n

R

) ( m o d n

S

) :

(10)

The reverse mapping is alwayspossible as can be seen from the identity

mapping in (8) with the exponent' ( )

. Since the public and secret

parts of a key pair sum up to ' ( nS

) and ' ( nR

) , respectively [see (5)],

inserting (9) in (10) yields the identity mapping as well.To summarize the above paragraphs, the mapping function is build

on two principles. First the Euler theorem for (8) and second the chaotic

orbits as used in Fridrichs [7] stego system, albeit in a secret key sce-

nario.

V. WEAKNESSES OF THE MAPPING FUNCTION

The mapping function suffers from several weaknesses, which can

be broadly structured into practical aspects for real-world applications

and systematical problems with the alleged non-invertibility of Map.

As to the practical issues, one obstacle stems from the fact that Map

maps a small domain to a larger one. In the reverse mappingM a p

0 1 ,

there are way more positions in the preimage than in the projection do-

main d i m ( M M R 3

) , as visualized by the italic bits in C M R3

of Fig. 1.Since the recipient cannot tell steganographically modified pixels apart

from original ones,4 there is little chance to solve the ambiguity intro-

duced at this step. Though not considered in the original paper, there is

a way to improve the extraction by simultaneously applying the t -pixel

criterion as described in Section III to preselect candidate pixels. How-

ever, it appears a little bit awkward to use a weakness in the embedding

layer in order to fix the decryption function.

Regarding computational effort, the decryption of an entire

steganogram is heavy if parameters are chosen in a secure range.

In the worst case one has to iterate nR

1 n

R

(if nR

> n

S

) pixel

positions and subsequently apply the reverse mapping operations to

reconstructM M R

3 . Let

be the length of the binary representation

of the larger modulus, the complexity of the complete decryption in

the O -calculus turns out to be O ( e ` ) . The use of large parameters

has another disadvantage because the required carrier size depends

on the security parameter

. Apart from operational challenges to

handle image data in the order of billions of pixels, solely the fact that

extremely huge images are transmitted is not plausible and thus reveals

the use of steganography. Moreover, a comparison of the complexity

of decryption with the complexity of factorization5 of nR

and nS

,

respectively, shows that factorization of an integer in the order of2

`

is less complex than the reverse mapping of a complete C M R 3 . This

means that it is computationally easier to calculate the secret key from

the public parameters than extracting a message!

4Thesecret key of thesenderk

would be required to identify theembeddingpositions.

5The complexity of th e General Number Field Sieve isO ( e l n ( ) 1 ( l n ( l n ( ) ) ) ) [3].

7/29/2019 A Steganographic Scheme Based on Chaos-2007

5/5

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007 1329

As to the systematical problems, it turns out that the mapping func-

tion has actually no trap-door property: Since the global stegomatrixS

is regular and nS

and nR

are both relatively prime to p1

and p2

, the ad-

versary can efficiently compute its inverseS

0 1 , as shown in (11) (n

S

andn

R

are replaced by

)

S

0 1

( m o d ) ; w h e r e

( p

2

0 q 1 p

1

+ q 1 p

2

) 1 p

0 1

1

1 p

0 1

2

( m o d )

( 0 q 1 p

1

+ q 1 p

2

0 q

2

1 p

1

+ q

2

1 p

2

) 1 p

0 1

1

1 p

0 1

2

( m o d )

( p

1

0 p

2

) 1 p

0 1

1

1 p

0 1

2

( m o d )

( p

1

+ q 1 p

1

0 q 1 p

2

) 1 p

0 1

1

1 p

0 1

2

( m o d )

(11)

where p 0 1 m o d denotes the multiplicative inverse of p in the integer

field modulo . The well-known extended Euclidean algorithm runs in

polynomial time.

For the demonstration of the complete reverse mapping without

using the secret key of the recipient, we still assume nS

< n

R

( i

3

; j

3

) M a p ( i ; j ; k

S S

; k

P R

; S )

( i

; j

) S

k

n

2 S

0 k

n

2 ( i

3

; j

3

) ( m o d n

R

) ( m o d n

S

)

M a p

0 1

( i

3

; j

3

; k

P S

; k

S R

; S ) : (12)

Now it is evident that ( i ; j ) ( i ; j ) ( m o d nS

) .

As finding a proper chaos function with trap-door properties is not

easy,6 the above described problems are very difficult to fix.

VI. A DIFFIE-HELLMAN-BASED CONSTRUCTION

Finally, as an alternative, we sketch a construction for a PKS system,

which is as secure against polynomial bounded adversaries as an un-

derlying secret key stego system. The construction is based on the El-

Gamal [4] encryption scheme (PKS-EG) that can be applied directly toPKS if the same strong assumptions about the mutual key exchange as

in PKS-CE do hold:

prior bi-directional key exchange (in contrast to the standard

public key cryptography model);

the recipient can identify his or her potential steganographic com-

munication partner before the extraction.

Let prime p in the order 2 ` and generator g of the finite field G F ( p )

be public constants. To generate a key pair, senderS

and recipientR

randomly choose x ; y G F ( p ) and publish kP S

g

x

( m o d p ) and

k

P R

g

y

( m o d p )

, respectively. In turn,k

S S

= x

andk

S R

= y

remain secret. To embed a message, sender S computes z kk

P R

g

y

g

x y

( m o d p ) . With H being an adequately secure hash function,

k

s y m

= H ( z ) can be used as secret key for steganographic communi-

cation between S and R in any SKS scheme. The recipient is able to

retrievek

s y m

becausez g

x y

( g

x

)

y

k

k

P S

( m o d p )

.

According to the computational Diffie-Hellman assumption, given

g

x and g y the public parameters onlyit is hard to compute

g

x y

( m o d p ) . In the absence of knowledge about ks y m

, an adversary

must resort to detecting steganographic messages with means of signal

6Building secure trap-door functions with parameters in the order 2 is im-possible because an adversary could run an exhaustive search in reasonable timeusing a probabilistic polynomial algorithm.

processing, which reduces the problem to attacking the underlying

SKS. Hence, against computational bounded adversaries and reason-

able choices of the security parameter , PKS-EG is as secure as the

SKS. Candidate algorithms for the SKS include the state of the art

least detectable embedding functions, such as perturbed quantization

[6] or adaptive stochastic modulation [5] for image steganography.

In contrast to PKS-CE, the security parameter is independent from

the size of the carrier so that PKS-EG does not suffer from the abovementioned practical limitations.

Note that this construction is simple because it inherits the strong

assumptions from PKS-CE. Tackling the steganographic key exchange

properly requires more sophisticated constructions (cf. [12]).

VII. CONCLUSION

The PKS-CE scheme promised to be a secure public-key

steganograhic system at the cost of some impractical constraints

due to the mutual key exchange. In fact, however, the exponential

relation between the security parameter and the required size of the

carrier media renders the system useless for reasonable security levels.

Since further weaknesses were identified in both the embeddingfunction and the asymmetric trap-door function, the PKS-CE scheme

is neither operable nor secure and thus should not be used in practice.

As the authors are not aware of a straight way to fix these flaws, a

more secure and less obscure alternative has been proposed.

REFERENCES

[1] R. J. Anderson andF. A. P. Petitcolas, On the limits of steganography,IEEE J. Select. Areas Commun., vol.16,no.4, pp. 474481,May 1998.

[2] M. Backes and C. Cachin, Public-key steganography with activeattacks, in Theory of Cryptography, ser. Lecture Notes in ComputerScience, J. Kilian, Ed. New York: Springer, 2005, vol. 3378, pp.210226.

[3] D. Coppersmith, Modifications to the number field sieve, J. Cryptol.,

vol. 6, pp. 169180, 1993.[4] T. ElGamal, A public key cryptosystem and a signature scheme based

on discrete logarithms, IEEE Trans. Inform. Theory, vol. IT-31, no. 4,pp. 469472, Jul. 1985.

[5] J. Fridrich and M. Goljan, Digital image steganography using sto-chastic modulation, in Security, Steganography and Watermarking of

Multimedia Contents V (Proc. SPIE) , E. J. Delp and P. W. Wong, Eds.,San Jose, CA, 2003, pp. 191202.

[6] J. Fridrich, M. Goljan, and D. Soukal, Perturbed quantizationsteganography with wet paper codes, in MM&Sec 04: Proc. 2004

ACM Workshop on Multimedia and Security, 2004, pp. 415.[7] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic

maps, Int. J. Bifurcat. Chaos, vol. 8, no. 6, pp. 12591284, 1998.[8] A. Kerckhoffs, La cryptographie militaire, J. des sciences militaires

vol. IX, pp. 538, 1883 [Online]. Available: http://www.petitcolas.net/fabien/kerckhoffs/crypto_militaire_1.pdf, 161191

[9] T. V. Le, Efficient Provably Secure Public Key Steganography Cryp-tology ePrint Archive, Report 2003/156, 2003 [Online]. Available:http://www.eprint.iacr.org/2003/156

[10] D. Louand C.Sung, A steganographic scheme for securecommunica-tions based on the chaos and Euler theorem, IEEE Trans. Multimedia,vol. 6, no. 3, pp. 501509, Jun. 2004.

[11] G. J. Simmons, The prisoners problem and the subliminal channel,in Adv. CryptologyCRYPTO83, D. Chaum, Ed., 1984, pp. 5167,Plenum.

[12] L. von Ahn and N. J. Hopper, Public-key steganography, in EURO-CRYPT, ser. Lecture Notes in Computer Science, C. Cachin and J. Ca-menisch, Eds. New York: Springer, 2004, vol. 3027, pp. 323341.