a steganographic scheme based on chaos-2007
TRANSCRIPT
-
7/29/2019 A Steganographic Scheme Based on Chaos-2007
1/5
IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007 1325
Correspondence
On the Security of A Steganographic Scheme
for Secure Communications Based on the Chaos
and the Euler TheoremRainer Bhme and Christian Keiler
AbstractThis paper contains a security analysis of the construction ofa public key steganographic system based on chaos theory and the Euler
theorem (PKS-CE) as proposed by Lou and Sung in a previous issue ofthis transactions. Our analysis results in attack strategies on two differentlayers: first, we identify weaknesses of the embeddingfunction, whichallow
a passive warden to tell steganographic images from clean carriers apart.Second, we show that the allegedly asymmetric trap-door function in factcan be efficiently inverted solely with the knowledge of its public parame-ters, thus revealing the secret message as plain text to a passive adversary.Experimental results from a re-implementation further indicate that theclaimed robustness of the embeddedmessageagainsttransformations of the
carrier medium was far too optimistic. Finally, we demonstrate that a se-cure alternative system can easily be constructed from standard primitivesif the strong assumptions made in PKS-CE for the mutual key exchange
can actually be fulfilled.
Index TermsInformation hiding, public key steganography, security
analysis, steganalysis.
I. INTRODUCTION
Steganographic techniques as described by Simmons [11] enable
covered message exchange over unsuspicious communication chan-
nels. Their security can be measured by the difficulty to detect the mere
existence of hidden communication in a public channel. An attack is
successful and a steganographic method considered as broken if the ad-versary is able to tell steganographic communication from clean traffic
apart with a probability of success better than random guessing.
In the baseline case, the communication partners share a secret key.
The majority of known steganographic algorithms hence belongs to the
class of secret key steganography (SKS). Anderson and Petitcolas [1]
firstdefinedpublickeysteganography(PKS)analogouslytoasymmetric
(public key)cryptography. Thispaper contains a securityanalysisof one
specificschemeforpublickeysteganographyproposedbyLouandSung
[10], further referred to as PKS-CE. In contrast to theoretical work on
PKS in the literature (see [2], [9], and [12]), Lou and Sungs scheme
is intended to be ready for implementation. It also differs from prior
art in the choice of the cryptographic operation. A generic approach to
PKS is to embed the entire bit stream of an asymmetrically encrypted
messagewithanSKSembeddingoperation,withtheexceptionthatallitsparameters aremadepublic (i.e. arecommonly shared). Louand Sungs
construction, however, determines the embeddingposition ofindividual
message bits with an asymmetric mapping function.
Before advancing to the security analysis, we recall the construction
of PKS-CE, as visualized in Fig. 1. First, message M is transformed to
Manuscript received December 22, 2005; revised April3, 2007. The associateeditor coordinating the review of this manuscript and approving it for publica-tion was Dr. Ching-Yung Lin.
R. Bhme is with the Institute of Systems Architecture, Technische Univer-sitt Dresden, 01062 Dresden, Germany (e-mail: [email protected]).
C. Keiler is withthe SignsoftGmbH, 01127 Dresden, Germany (e-mail: [email protected]).
Digital Object Identifier 10.1109/TMM.2007.902898
Fig. 1. Block diagram of Lou and Sungs PKS-CE.
a message matrix representation (MMR). This transformation can be
complemented with an optional error-correcting code (ECC). A trap-
door mapping function Map is applied on each matrix coordinate ( i ; j )
to compute the position in the carrier matrix representation (CMR).
This function consists of two nested mapping operations, which take
a coordinate( i ; j )
, the secret key of the senderk
S S
and the public
key of the recipient kP R
to compute a corresponding embedding po-
sition ( i 3 ; j 3 ) in the carrier. The embedding operation F returns the
steganogram. It works on individual bits and it is applied with globalparameters only.
After the transmission of the steganogram to the recipient, they ex-
tract the carrier message representation ( C M R 3 ) . The message matrix
representation M M R 3 can be recovered with theinversemappingfunc-
tionM a p
0 1 using the public key of the senderk
P S
and the secret key
of the recipient kS R
M a p : ( i ; j ; k
S S
; k
P R
; S ) 7! ( i
3
; j
3
)
M a p
0 1
: ( i
3
; j
3
; k
P S
; k
S R
; S ) 7! ( i
; j
) (1)
S is a global parameter. The message is obtained after linearization and
optional error decoding ( E C C 0 1 ) .
Our security analysis is structured as follows: Section II explains
details of the embedding function before its weaknesses are pointedout and backed with experimental evidence in Section III. Accordingly,
Section IV deals with the mapping function followed by an analysis in
Section V. Before we conclude, and as a reaction to the weaknesses
identified, a more secure alternative construction based on standard
cryptographic primitives is sketched in Section VI.
II. DESCRIPTION OF THE EMBEDDING FUNCTION
The choice of an embedding function is always specific to the prop-
erties of the carrier medium. PKS-CE is designed for grayscale images
stored as a matrix of intensity values. The embedding function takes an
embedding position ( i 3 ; j 3 ) and the value of one message bit m( i ; j )
as arguments and alters the carrier so that the resulting steganogram
contains the semantic of the message bit. Obviously, this modification
1520-9210/$25.00 2007 IEEE
-
7/29/2019 A Steganographic Scheme Based on Chaos-2007
2/5
1326 IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007
Fig. 2. Relation of a pixel to its local neighborhood.
should neither be perceptible to visual inspection nor alter the statis-
tical properties of carrier media. To achieve imperceptibility, PKS-CE
adaptively takes into account the local neighborhood of( i
3
; j
3
)
with
intensityx
( i ; j )
, as shown in Fig. 2. PKS-CE defines three control
variablesl
(
i ; j
)
(upper left),r
(
i ; j
)
(lower right) anda
(
i ; j
)
(sur-round), which average the neighborhood intensities
l
( i ; j )
=
1
3
x
( i 0 1 ; j 0 1 )
+ x
( i ; j 0 1 )
+ x
( i 0 1 ; j )
r
( i ; j )
=
1
3
x
( i + 1 ; j )
+ x
( i ; j + 1 )
+ x
( i + 1 ; j + 1 )
a
( i ; j )
=
1
2
l
( i ; j )
+ r
( i ; j )
: (2)
Let t be a global parameter for the embedding strength. We shall call
pixel x( i ; j )
at position ( i 3 ; j 3 ) center pixel and omit the indices for
the sake of brevity. The embedding process distinguishes three possible
cases.
First, the center pixel has a homogenous neigborhood relative tot
if j l 0 r j 3 1 t . In this case, a zero bit is embedded by subtracting
t from a ; and a one by adding t to a . Second, the center pixel is part
of a downward slope if j l 0 r j > 3 1 t and l > r . In this case, for a
zero, the resulting pixel is set close to the higher neighbors, precisely
tol 0 t
. In turn, a one is embedded by setting the pixel close to the
lower neighbors r + t . Third, for an upward slope, where j l 0 r j > 3 1 t
and l < r , the assignment of zeros and ones is inverse to the second
case with l now representing the lower neighbors and r the higher ones.
Hence, the resulting pixel isl + t
for zeros andr 0 t
for ones.
The extraction function F 0 1 works accordingly. It first determines
whether the decoded pixel position( i
; j
)
is in a homogenous neig-
borhood relative to t . If so, a comparison whether the center pixels in-
tensity is smaller or equal thana
( i ; j )
reveals the message bit value.
Otherwise the extraction function checks whether the center pixels in-
tensity is closer tol
( i ; j ) or tor
( i ; j ) before deciding between zeroand one in a second step.
There are several sources for bit errors in steganographic communi-
cation. On the transmission channel, marginal changes in the intensity,
either caused by random distortions or by an active adversary trying
to prevent steganographic communication, may destroy the stegano-
graphic content. Another source of error is specific to this embedding
function and occurs even in perfect channels: if two embedding posi-
tions fall next to each other, wrong extraction results may occur due to
the influence of the second embedding on the neighborhood of the first.
The PKS-CE scheme proposes the error correcting code to cope with
any of these errors.
The impact of errors from subsequent embedding in the same neigh-
borhood can be measured experimentally. We embed 875 bits into each
of 100 8-bit grayscale test images sized 253 2 253 pixels [i.e., the em-
bedding rate is as low as 0.014 bits per pixel (bpp)], at positions given
TABLE IEXPERIMENTAL RESULTS FOR ATTACKS ON THE EMBEDDING FUNCTION
Average share of t -pixels and average edge length (in pixels) of the largest
square withoutt
-pixels. Averages are computed over 100 images for plain
carriers and steganograms.
by the PKS-CE mapping function and then count the number of suc-
cessful extractions. Fort = 1
we found 9.95 bit errors( = 1 : 1 4 % )
on
average across images. With an error correcting codeReed-Solomon
RS(31,25), as proposed in [10]the error rate declined somewhat to
7.60( = 0 : 8 7 % )
on average.
III. WEAKNESSES OF THE EMBEDDING FUNCTIONIn steganography, unlike for some watermarking applications, it is
reasonable to adhere to Kerckhoffs principle and assume that an ad-
versary has full knowledge of the functioning of the steganographic
system except for its secret keys [1], [8]. This is not only regarded as
a good practice to develop truly secure algorithms, but also follows di-
rectly from the principles of public key steganographic systems, which
aim at avoiding obscurity. If their secure application depends on any
additional secrets shared between sender and recipient, the extra effort
to construct PKS as opposed to far simpler SKS would be rendered
useless. Therefore, we deem it justified to assume that the adversary
knows all public and global parameters of the concrete implementa-
tion of PKS-CE in a specific communication context.1
The idea of this steganalysis exploits the deterministic embedding
equations specified in the embedding function. Since the relation be-
tween pixels and their neighborhood is fixed in the steganogram, an
attacker can evaluate this relation for each pixel in an image. He or
she can further infer the existence of steganographic content from an
atypical high number of pixels that exactly fulfill one of the embedding
equations.
Consequently, we define the notiont
-pixel as pixel where one of the
embedding equations between the pixel and its neighborhood holds for
a given parametert
. This corresponds to the following formal expres-
sion:l
( i ; j )
0 r
( i ; j )
3 1 t x
( i ; j )
a
( i ; j )
6 t
_ l
( i ; j )
0 r
( i ; j )
> 3 1 t
x
( i ; j )
l
( i ; j )
6 t _ x
( i ; j )
r
( i ; j )
6 t : (3)
By applying this criterion on a large number of test images, both
plain carrier and steganograms, we found a stable share of t -pixels,
which depends on parametert
and the embedding ratio. As reported in
Table I, plain carriers contain fewer t -pixels than steganograms. Thus,
forsuitable settings oft , a simplecriterion based onthe share oft -pixels
yields a reliable stego detector.
If the mere number doesnot discriminate sufficiently, then the spatial
distribution oft
-pixels can be evaluatedto improve the detection power.
Since the occurrence of t -pixels in plain carrier images is correlated
with the image structure, there exist regions with higher concentration
of t -pixels as well as regions without any. Steganographic modifica-
tions, however, appear randomly in the entire space of the CMR. This
1
Note that most weaknesses would still allow for successful attacks even ifthe exact values of global parameterssuch as t were unknown, as missingparameters could be efficiently estimated by the adversary.
-
7/29/2019 A Steganographic Scheme Based on Chaos-2007
3/5
IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007 1327
Fig. 3. Distribution oft
-pixels: (a) original, (b) filtered image without embed-ding, and (c) filtered image with small capacity stego message.
causest
-pixels in the steganogram to appear regardless of the image
structure. Fig. 3 illustrates the distribution of t -pixels in one example
grayscale image by applying a filter that visualizes the positions of
t -pixels for t = 1 in a clean image and [cf. Fig. 3(b)] a steganogramwith about 0.1 bits per pixel payload [cf. Fig. 3(c)]. It is also visible
that the mapping function reduces the set of possible embedding posi-
tions to the CMR area (see below in Section V). An easy measure that
can be used as a stego-detector is the maximum square area within the
dimension of the CMR that does not contain any t -pixel. This value dif-
fers considerably between plain carriers and steganograms, as reported
in columns 4 and 5 of Table I. The performance in terms of detection
rate and false positives of stego detectors using the above described
methods is given by receiver operating characteristics (ROC) charts in
Fig. 4. The charts show that the spatial criterion allows for perfect sep-
aration for t 2 f 6 ; 1 2 g and is still highly reliable for t = 1 .
The original paper also claimed a sort of robustness of PKS-CE
against noise in the intensity values of the steganogram due to channeldisturbance or active tampering. To verify the results, a re-implemen-
tation of the scheme has been used to evaluate the robustness against
Gaussian noise with zero mean and standard deviation in the range of
( 1 = 1 2 ) 1 t
to9 1 t
. Following the description in [10], a Reed-Solomon
code RS(31,25) has been employed as ECC. The results of these ex-
periments (Table II) show that even very subtle noise causes a high
number of uncorrectable bit errors. The robustness increases somewhat
for higher values oft
, but at the same time the probability for heavily
visible artifacts soars.
In the following, we will show why it will not be sufficient to fix the
weaknesses of the embedding function to make the scheme secure.
IV. DESCRIPTION OF THE MAPPING FUNCTION
Function Map is supposed to be an asymmetric cryptographic func-
tion, which is based on the Euler theorem and chaos theory. Since the
Fig. 4. ROC curvesfor different valuesoft
and for different detection methods;results from experiments on 100 test images with an average embedding rate of0.1 bpp. Notethatthe scale of false positives has been cut in(b) to make the verysmall error rates visible. (a) Detector based on share of
t
-pixels. (b) Detector
based on spatial distribution of t -pixels.
TABLE IIEXPERIMENTAL RESULTS ON THE ROBUSTNESS OF THE EMBEDDING FUNCTION
Mean error rates for additive Gaussian noise (embedding rate as low as 0.002
bpp) and RS(31,25) error correction.
original publication is not entirely clear in the description of and the
rationales behind the design of the mapping function, the following
discussion has to be considered as a common sense interpretation of
how the scheme works.
ThePKS-CE scheme differs from the majority of other approachesto
PKS by its strong assumptions for the key exchange: even for one-way
communication, both sender and recipient have to transmit the public
part of their key pair to the other party authentically. How this mutual
key exchange can be realized secretly is not considered in the original
publication and thus beyond the scope of this paper.
-
7/29/2019 A Steganographic Scheme Based on Chaos-2007
4/5
1328 IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007
TABLE IIISCOPE OF CRYPTO PARAMETERS
For the key generation, both sender and recipient independently
chose a public moduln
S
andn
R
, respectively. These numbers ought
to be semi-prime to ensure that the Euler symbols ' ( nS
) and ' ( nR
)
can be computed effectively as' ( u 1 v ) = ( u 0 1 ) ( v 0 1 )
with
knowledge of the (secret) prime factors u and v . Both parties choose
their secret keysk
S S
andk
S R
at random in the range
s e n d e r : ' ( n
S
) > k
S S
> 0
r e c i p i e n t : ' ( n
R
) > k
S R
> 0 :
(4)
Then the public parts are given as differences to the Euler symbols
s e n d e r : k
P S
= ' ( n
S
) 0 k
S S
r e c i p i e n t : k
P R
= ' ( n
R
) 0 k
S R
: (5)
Table III summarizes all relevant parameters of the mapping func-
tion classified by their scope of knowledge (secret, public, global).
Global parameters are constant for all communication relations. The
two primesp
1
andp
2
are both relatively prime ton
S
andn
R
.2 Integer
q > 2 is another global parameter to seed the chaotic mapping.
Parameters p1
, p2
and q are used to build a matrix Q and a so-called
stego-matrixS
as
Q =
1 1
q q + 1
; a n d S = Q 2
p
1
0
0 p
2
2 Q
0 1
: (6)
Later in the mapping function, matrix S needs to be exponentiated.
This is not difficult due to its special structure. As shown in [10, eq.
(6)] it reduces to the exponentiation of scalars
S
= Q 2
p
1
0
0 p
2
2 Q
0 1
: (7)
We need another notation because PKS-CE only uses exponentiation
in rings of integers modulo a number. SoS
means that the exponen-
tiation to the power of is computed modulo .
With the above prerequisites, we can study the basic trap-door map-
ping operation in (8) 3
S
' ( )
Q 2
p
' ( )
1
0
0 p
' ( )
2
2 Q
0 1
( m o d
)
Q 2
1 0
0 1
2 Q
0 1
( m o d )
Q 2 Q
0 1
( m o d )
1 0
0 1
( m o d ) : (8)
To encrypt an MMRmessage position with the coordinates( i ; j )
to a
CMR position with the coordinates( i
3
; j
3
)
, the sender has to use their
2The last condition is easy to fulfill as n and n are semi-prime; in the veryunlikely case that a communication partner chooses a secret parameter equal toa global one, the key generation algorithm has to be repeated.
3
The original paper refers to another variableN
as the public largenumber in the RSA cryptosystem ([10, p. 503])presumedly anothersemi-primewhich can be eliminated analytically.
secret keyk
S S
and the recipients public key kP R
as follows (without
loss of generality, we assumen
S
< n
R
):
M a p :
( i
3
; j
3
) S
k
n
2 S
k
n
2 ( i ; j ) ( m o d n
S
) ( m o d n
R
) :
(9)
Note that the multiplication and modulo operations were not explicitly
defined in the original paper, but the term applyingS
does not allowany other interpretation. As a consequence of the modulo operations,
the dimension of CMR is bound to the infimum of nS
andn
R
[see
Fig. 1 and Fig. 3(c)].
The decryption (i.e., reverse mapping) of( i 3 ; j 3 ) to the original mes-
sage position( i
; j
)
uses the remaining parameters, namely the public
key of the senderk
P S
and the secret key of the recipientk
S R
M a p
0 1
:
( i
; j
) S
k
n
2 S
k
n
2 ( i
3
; j
3
) ( m o d n
R
) ( m o d n
S
) :
(10)
The reverse mapping is alwayspossible as can be seen from the identity
mapping in (8) with the exponent' ( )
. Since the public and secret
parts of a key pair sum up to ' ( nS
) and ' ( nR
) , respectively [see (5)],
inserting (9) in (10) yields the identity mapping as well.To summarize the above paragraphs, the mapping function is build
on two principles. First the Euler theorem for (8) and second the chaotic
orbits as used in Fridrichs [7] stego system, albeit in a secret key sce-
nario.
V. WEAKNESSES OF THE MAPPING FUNCTION
The mapping function suffers from several weaknesses, which can
be broadly structured into practical aspects for real-world applications
and systematical problems with the alleged non-invertibility of Map.
As to the practical issues, one obstacle stems from the fact that Map
maps a small domain to a larger one. In the reverse mappingM a p
0 1 ,
there are way more positions in the preimage than in the projection do-
main d i m ( M M R 3
) , as visualized by the italic bits in C M R3
of Fig. 1.Since the recipient cannot tell steganographically modified pixels apart
from original ones,4 there is little chance to solve the ambiguity intro-
duced at this step. Though not considered in the original paper, there is
a way to improve the extraction by simultaneously applying the t -pixel
criterion as described in Section III to preselect candidate pixels. How-
ever, it appears a little bit awkward to use a weakness in the embedding
layer in order to fix the decryption function.
Regarding computational effort, the decryption of an entire
steganogram is heavy if parameters are chosen in a secure range.
In the worst case one has to iterate nR
1 n
R
(if nR
> n
S
) pixel
positions and subsequently apply the reverse mapping operations to
reconstructM M R
3 . Let
be the length of the binary representation
of the larger modulus, the complexity of the complete decryption in
the O -calculus turns out to be O ( e ` ) . The use of large parameters
has another disadvantage because the required carrier size depends
on the security parameter
. Apart from operational challenges to
handle image data in the order of billions of pixels, solely the fact that
extremely huge images are transmitted is not plausible and thus reveals
the use of steganography. Moreover, a comparison of the complexity
of decryption with the complexity of factorization5 of nR
and nS
,
respectively, shows that factorization of an integer in the order of2
`
is less complex than the reverse mapping of a complete C M R 3 . This
means that it is computationally easier to calculate the secret key from
the public parameters than extracting a message!
4Thesecret key of thesenderk
would be required to identify theembeddingpositions.
5The complexity of th e General Number Field Sieve isO ( e l n ( ) 1 ( l n ( l n ( ) ) ) ) [3].
-
7/29/2019 A Steganographic Scheme Based on Chaos-2007
5/5
IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 6, OCTOBER 2007 1329
As to the systematical problems, it turns out that the mapping func-
tion has actually no trap-door property: Since the global stegomatrixS
is regular and nS
and nR
are both relatively prime to p1
and p2
, the ad-
versary can efficiently compute its inverseS
0 1 , as shown in (11) (n
S
andn
R
are replaced by
)
S
0 1
( m o d ) ; w h e r e
( p
2
0 q 1 p
1
+ q 1 p
2
) 1 p
0 1
1
1 p
0 1
2
( m o d )
( 0 q 1 p
1
+ q 1 p
2
0 q
2
1 p
1
+ q
2
1 p
2
) 1 p
0 1
1
1 p
0 1
2
( m o d )
( p
1
0 p
2
) 1 p
0 1
1
1 p
0 1
2
( m o d )
( p
1
+ q 1 p
1
0 q 1 p
2
) 1 p
0 1
1
1 p
0 1
2
( m o d )
(11)
where p 0 1 m o d denotes the multiplicative inverse of p in the integer
field modulo . The well-known extended Euclidean algorithm runs in
polynomial time.
For the demonstration of the complete reverse mapping without
using the secret key of the recipient, we still assume nS
< n
R
( i
3
; j
3
) M a p ( i ; j ; k
S S
; k
P R
; S )
( i
; j
) S
k
n
2 S
0 k
n
2 ( i
3
; j
3
) ( m o d n
R
) ( m o d n
S
)
M a p
0 1
( i
3
; j
3
; k
P S
; k
S R
; S ) : (12)
Now it is evident that ( i ; j ) ( i ; j ) ( m o d nS
) .
As finding a proper chaos function with trap-door properties is not
easy,6 the above described problems are very difficult to fix.
VI. A DIFFIE-HELLMAN-BASED CONSTRUCTION
Finally, as an alternative, we sketch a construction for a PKS system,
which is as secure against polynomial bounded adversaries as an un-
derlying secret key stego system. The construction is based on the El-
Gamal [4] encryption scheme (PKS-EG) that can be applied directly toPKS if the same strong assumptions about the mutual key exchange as
in PKS-CE do hold:
prior bi-directional key exchange (in contrast to the standard
public key cryptography model);
the recipient can identify his or her potential steganographic com-
munication partner before the extraction.
Let prime p in the order 2 ` and generator g of the finite field G F ( p )
be public constants. To generate a key pair, senderS
and recipientR
randomly choose x ; y G F ( p ) and publish kP S
g
x
( m o d p ) and
k
P R
g
y
( m o d p )
, respectively. In turn,k
S S
= x
andk
S R
= y
remain secret. To embed a message, sender S computes z kk
P R
g
y
g
x y
( m o d p ) . With H being an adequately secure hash function,
k
s y m
= H ( z ) can be used as secret key for steganographic communi-
cation between S and R in any SKS scheme. The recipient is able to
retrievek
s y m
becausez g
x y
( g
x
)
y
k
k
P S
( m o d p )
.
According to the computational Diffie-Hellman assumption, given
g
x and g y the public parameters onlyit is hard to compute
g
x y
( m o d p ) . In the absence of knowledge about ks y m
, an adversary
must resort to detecting steganographic messages with means of signal
6Building secure trap-door functions with parameters in the order 2 is im-possible because an adversary could run an exhaustive search in reasonable timeusing a probabilistic polynomial algorithm.
processing, which reduces the problem to attacking the underlying
SKS. Hence, against computational bounded adversaries and reason-
able choices of the security parameter , PKS-EG is as secure as the
SKS. Candidate algorithms for the SKS include the state of the art
least detectable embedding functions, such as perturbed quantization
[6] or adaptive stochastic modulation [5] for image steganography.
In contrast to PKS-CE, the security parameter is independent from
the size of the carrier so that PKS-EG does not suffer from the abovementioned practical limitations.
Note that this construction is simple because it inherits the strong
assumptions from PKS-CE. Tackling the steganographic key exchange
properly requires more sophisticated constructions (cf. [12]).
VII. CONCLUSION
The PKS-CE scheme promised to be a secure public-key
steganograhic system at the cost of some impractical constraints
due to the mutual key exchange. In fact, however, the exponential
relation between the security parameter and the required size of the
carrier media renders the system useless for reasonable security levels.
Since further weaknesses were identified in both the embeddingfunction and the asymmetric trap-door function, the PKS-CE scheme
is neither operable nor secure and thus should not be used in practice.
As the authors are not aware of a straight way to fix these flaws, a
more secure and less obscure alternative has been proposed.
REFERENCES
[1] R. J. Anderson andF. A. P. Petitcolas, On the limits of steganography,IEEE J. Select. Areas Commun., vol.16,no.4, pp. 474481,May 1998.
[2] M. Backes and C. Cachin, Public-key steganography with activeattacks, in Theory of Cryptography, ser. Lecture Notes in ComputerScience, J. Kilian, Ed. New York: Springer, 2005, vol. 3378, pp.210226.
[3] D. Coppersmith, Modifications to the number field sieve, J. Cryptol.,
vol. 6, pp. 169180, 1993.[4] T. ElGamal, A public key cryptosystem and a signature scheme based
on discrete logarithms, IEEE Trans. Inform. Theory, vol. IT-31, no. 4,pp. 469472, Jul. 1985.
[5] J. Fridrich and M. Goljan, Digital image steganography using sto-chastic modulation, in Security, Steganography and Watermarking of
Multimedia Contents V (Proc. SPIE) , E. J. Delp and P. W. Wong, Eds.,San Jose, CA, 2003, pp. 191202.
[6] J. Fridrich, M. Goljan, and D. Soukal, Perturbed quantizationsteganography with wet paper codes, in MM&Sec 04: Proc. 2004
ACM Workshop on Multimedia and Security, 2004, pp. 415.[7] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic
maps, Int. J. Bifurcat. Chaos, vol. 8, no. 6, pp. 12591284, 1998.[8] A. Kerckhoffs, La cryptographie militaire, J. des sciences militaires
vol. IX, pp. 538, 1883 [Online]. Available: http://www.petitcolas.net/fabien/kerckhoffs/crypto_militaire_1.pdf, 161191
[9] T. V. Le, Efficient Provably Secure Public Key Steganography Cryp-tology ePrint Archive, Report 2003/156, 2003 [Online]. Available:http://www.eprint.iacr.org/2003/156
[10] D. Louand C.Sung, A steganographic scheme for securecommunica-tions based on the chaos and Euler theorem, IEEE Trans. Multimedia,vol. 6, no. 3, pp. 501509, Jun. 2004.
[11] G. J. Simmons, The prisoners problem and the subliminal channel,in Adv. CryptologyCRYPTO83, D. Chaum, Ed., 1984, pp. 5167,Plenum.
[12] L. von Ahn and N. J. Hopper, Public-key steganography, in EURO-CRYPT, ser. Lecture Notes in Computer Science, C. Cachin and J. Ca-menisch, Eds. New York: Springer, 2004, vol. 3027, pp. 323341.