On the Gold Standard for Security of Universal Steganography

  • Sebastian BerndtEmail author
  • Maciej Liśkiewicz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)


While symmetric-key steganography is quite well understood both in the information-theoretic and in the computational setting, many fundamental questions about its public-key counterpart resist persistent attempts to solve them. The computational model for public-key steganography was proposed by von Ahn and Hopper in EUROCRYPT 2004. At TCC 2005, Backes and Cachin gave the first universal public-key stegosystem – i.e. one that works on all channels – achieving security against replayable chosen-covertext attacks (ss-rcca) and asked whether security against non-replayable chosen-covertext attacks (ss-cca) is achievable. Later, Hopper (ICALP 2005) provided such a stegosystem for every efficiently sampleable channel, but did not achieve universality. He posed the question whether universality and ss-cca-security can be achieved simultaneously. No progress on this question has been achieved since more than a decade. In our work we solve Hopper’s problem in a somehow complete manner: As our main positive result we design an ss-cca-secure stegosystem that works for every memoryless channel. On the other hand, we prove that this result is the best possible in the context of universal steganography. We provide a family of 0-memoryless channels – where the already sent documents have only marginal influence on the current distribution – and prove that no ss-cca-secure steganography for this family exists in the standard non-look-ahead model.

Supplementary material


  1. 1.
    Anderson, R.J., Petitcolas, F.A.P.: On the limits of steganography. IEEE J. Sel. Areas Commun. 16(4), 474–481 (1998)CrossRefGoogle Scholar
  2. 2.
    Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Proceedings of the CCS, pp. 364–375. ACM (2015)Google Scholar
  3. 3.
    Backes, M., Cachin, C.: Public-key steganography with active attacks. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 210–226. Springer, Heidelberg (2005). Scholar
  4. 4.
    Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: strongly undetectable algorithm-substitution attacks. In: Proceedings of the CCS 2015, pp. 1431–1440. ACM (2015)Google Scholar
  5. 5.
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). Scholar
  6. 6.
    Berndt, S., Liśkiewicz, M.: Algorithm substitution attacks from a steganographic perspective. In: Proceedings of the CCS, pp. 1649–1660 (2017).
  7. 7.
    Cachin, C.: An information-theoretic model for steganography. Inf. Comput. 192(1), 41–56 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). Scholar
  9. 9.
    Chandran, N., Goyal, V., Ostrovsky, R., Sahai, A.: Covert multi-party computation. In: Proceedings of the FOCS, pp. 238–248. IEEE Computer Society (2007)Google Scholar
  10. 10.
    Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. In: Proceedings of the S&P, pp. 481–498 (2015).
  11. 11.
    Cho, C., Dachman-Soled, D., Jarecki, S.: Efficient concurrent covert computation of string equality and set intersection. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 164–179. Springer, Cham (2016). Scholar
  12. 12.
    Craver, S.: On public-key steganography in the presence of an active warden. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 355–368. Springer, Heidelberg (1998). Scholar
  13. 13.
    Dedić, N., Itkis, G., Reyzin, L., Russell, S.: Upper and lower bounds on black-box steganography. J. Cryptol. 22(3), 365–394 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Degabriele, J.P., Farshim, P., Poettering, B.: A more cautious approach to security against mass surveillance. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 579–598. Springer, Heidelberg (2015). Scholar
  15. 15.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Fazio, N., Nicolosi, A.R., Perera, I.M.: Broadcast steganography. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 64–84. Springer, Cham (2014). Scholar
  18. 18.
    Goldreich, O., Rothblum, R.D.: Enhancements of trapdoor permutations. J. Cryptol. 26(3), 484–512 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Golla, M., Beuscher, B., Dürmuth, M.: On the security of cracking-resistant password vaults. In: Proceedings of the CCS, pp. 1230–1241 (2016).
  20. 20.
    Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). Scholar
  21. 21.
    Hopper, N.: On steganographic chosen covertext security. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 311–323. Springer, Heidelberg (2005). Scholar
  22. 22.
    Hopper, N.J., Langford, J., von Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002). Scholar
  23. 23.
    Hopper, N.J., von Ahn, L., Langford, J.: Provably secure steganography. IEEE Trans. Comput. 58(5), 662–676 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)zbMATHGoogle Scholar
  25. 25.
    Katzenbeisser, S., Petitcolas, F.A.P.: Defining security in steganographic systems. In: Proceedings of the Electronic Imaging, pp. 50–56. SPIE (2002)Google Scholar
  26. 26.
    Kiayias, A., Raekow, Y., Russell, A., Shashidhar, N.: A one-time stegosystem and applications to efficient covert communication. J. Cryptol. 27(1), 23–44 (2014)CrossRefzbMATHGoogle Scholar
  27. 27.
    Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosen-ciphertext security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 673–692. Springer, Heidelberg (2010). Scholar
  28. 28.
    Van Le, T., Kurosawa, K.: Bandwidth optimal steganography secure against adaptive chosen stegotext attacks. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 297–313. Springer, Heidelberg (2007). Scholar
  29. 29.
    Lindell, Y.: A simpler construction of CCA2-secure public-key encryption under general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 241–254. Springer, Heidelberg (2003). Scholar
  30. 30.
    Liśkiewicz, M., Reischuk, R., Wölfel, U.: Grey-box steganography. Theoret. Comput. Sci. 505, 27–41 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, p. 447. Springer, Heidelberg (1986). Scholar
  32. 32.
    Lysyanskaya, A., Meyerovich, M.: Provably secure steganography with imperfect sampling. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 123–139. Springer, Heidelberg (2006). Scholar
  33. 33.
    Mitzenmacher, M., Upfal, E.: Probability and Computing - Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, Cambridge (2005)CrossRefzbMATHGoogle Scholar
  34. 34.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the STOC, pp. 33–43. ACM (1989)Google Scholar
  35. 35.
    Pasquini, C., Schöttle, P., Böhme, R.: Decoy password vaults: at least as hard as steganography? In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 356–370. Springer, Cham (2017). Scholar
  36. 36.
    Ryabko, B., Ryabko, D.: Constructing perfect steganographic systems. Inf. Comput. 209(9), 1223–1230 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). Scholar
  38. 38.
    von Ahn, L., Hopper, N.J.: Public key steganography. IACR Cryptology ePrint Archive, 2003/233 (2003)Google Scholar
  39. 39.
    von Ahn, L., Hopper, N.J.: Public-key steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004). Scholar
  40. 40.
    Wang, Y., Moulin, P.: Perfectly secure steganography: capacity, error exponents, and code constructions. IEEE Trans. Inf. Theory 54(6), 2706–2722 (2008)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceKiel UniversityKielGermany
  2. 2.Institute for Theoretical Computer ScienceUniversity of LübeckLübeckGermany

Personalised recommendations