Abstract
While symmetric-key steganography is quite well understood both in the information-theoretic and in the computational setting, many fundamental questions about its public-key counterpart resist persistent attempts to solve them. The computational model for public-key steganography was proposed by von Ahn and Hopper in EUROCRYPT 2004. At TCC 2005, Backes and Cachin gave the first universal public-key stegosystem – i.e. one that works on all channels – achieving security against replayable chosen-covertext attacks (ss-rcca) and asked whether security against non-replayable chosen-covertext attacks (ss-cca) is achievable. Later, Hopper (ICALP 2005) provided such a stegosystem for every efficiently sampleable channel, but did not achieve universality. He posed the question whether universality and ss-cca-security can be achieved simultaneously. No progress on this question has been achieved since more than a decade. In our work we solve Hopper’s problem in a somehow complete manner: As our main positive result we design an ss-cca-secure stegosystem that works for every memoryless channel. On the other hand, we prove that this result is the best possible in the context of universal steganography. We provide a family of 0-memoryless channels – where the already sent documents have only marginal influence on the current distribution – and prove that no ss-cca-secure steganography for this family exists in the standard non-look-ahead model.
1 Introduction
Steganography is the art of hiding the transmission of information to achieve secret communication without revealing its presence. In the basic setting, the aim of the steganographic encoder (often called Alice or the stegoencoder) is to hide a secret message in a document and to send it to the stegodecoder (Bob) via a public channel which is completely monitored by an adversary (Warden or steganalyst). The channel is modeled as a probability distribution of legal documents, called covertexts, and the adversary’s task is to distinguish those from altered ones, called stegotexts. Although strongly connected with cryptographic encryption, steganography is not encryption: While encryption only tries to hide the content of the transmitted message, steganography aims to hide both the message and the fact that a message was transmitted at all.
As in the cryptographic setting, the security of the stegosystems should only rely on the secrecy of the keys used by the system. Symmetric-key steganography, which assumes that Alice and Bob share a secret-key, has been a subject of intensive study both in an information-theoretic [7, 36, 40] and in a computational setting [13, 22, 23, 25, 26, 30]. A drawback of such an approach is that the encoder and the decoder must have shared a key in a secure way. This may be unhandy, e.g. if the encoder communicates with several parties.
In order to avoid this problem in cryptography, Diffie and Hellman provided the notion of a public-key scenario in their groundbreaking work [15]. This idea has proved to be very useful and is currently used in nearly every cryptographic application. Over time, the notion of security against so-called chosen ciphertext attacks (chosen-ciphertext attack (CCA)-security) has established itself as the “gold standard” for security in the public-key scenario [20, 27]. In this setting, an attacker has also access to a decoding oracle that decodes every ciphertext different from the challenge-text. Dolev et al. [16] proved that the simplest assumption for public-key cryptography – the existence of trapdoor permutations – is sufficient to construct a CCA-secure public key cryptosystem.
Somewhat in contrast to the research in cryptographic encryption, only very little studies in steganography have been concerned so far within the public-key setting. Von Ahn and Hopper [38, 39] were the first to give a formal framework and to prove that secure public-key steganography exists. They formalized security against a passive adversary in which Warden is allowed to provide challenge-hiddentexts to Alice in hopes of distinguishing covertexts from stegotexts encoding the hiddentext of his choice. For a restricted model, they also defined security against an active adversary; It is assumed, however, that Bob must know the identity of Alice, which deviates from the common bare public-key scenario.
Importantly, the schemes provided in [38, 39] are universal (called also black-box in the literature). This property guarantees that the systems are secure with respect not only to a concrete channel \(\mathcal {C}\) but to a broad range of channels. The importance of universality is based on the fact that typically no good description of the distribution of a channel is known.
In [3], Backes and Cachin provided a notion of security for public-key steganography with active attacks, called steganographic chosen-covertext attacks (SS-CCAs). In this scenario the warden may provide a challenge-hiddentext to Alice and enforce the stegoencoder to send stegotexts encoding the hiddentext of his choice. The warden may then insert documents into the channel between Alice and Bob and observe Bob’s responses in hope of detecting the steganographic communication. This is the steganographic equivalent of a chosen ciphertext attack against encryption and it seems to be the most general type of security for public-key steganography with active attacks similar to CCA-security in encryption. Backes and Cachin also gave a universal public-key stegosystem which, although not secure in the general SS-CCA-setting, satisfies a relaxed notion called steganographic security against publicly-detectable replayable adaptive chosen-covertext attacks (steganographic replayable chosen-covertext attack (SS-RCCA)) inspired by the work of Canetti et al. [8]. In this relaxed setting, the warden may still provide a hiddentext to Alice and is allowed to insert documents into the channel between Alice and Bob but with the restriction that the warden’s document does not encode the chosen hiddentext. Backes and Cachin left as an open problem if secure public-key steganography exists at all in the SS-CCA-framework.
This question was answered by Hopper [21] in the affirmative in case Alice and Bob communicate via an efficiently sampleable channel \(\mathcal {C}\). He proved (under the assumption of a CCA-secure cryptosystem) that for every such channel \(\mathcal {C}\) there is an SS-CCA-secure stegosystem \(\mathsf {PKStS}_{\mathcal {C}}\) on \(\mathcal {C}\). The system cleverly “derandomizes” sampling documents by using the sampling-algorithm of the channel and using a pseudorandom generator to deterministically embed the encrypted message. Hence, \(\mathsf {PKStS}_{\mathcal {C}}\) is only secure on the single channel \(\mathcal {C}\) and is thus not universal. Hopper [21] posed as a challenging open problem to show the (non)existence of a universal SS-CCA-secure stegosystem. Since more than a decade, public key steganography has been used as a tool in different contexts (e.g. broadcast steganography [17] and private computation [9, 11]), but this fundamental question remained open.
We solve Hopper’s problem in a complete manner by proving (under the assumption of the existence of doubly-enhanced trapdoor permutations and collision-resistant hash functions) the existence of an SS-CCA-secure public key stegosystem that works for every memoryless channel, i.e. such that the documents are independently distributed (for a formal definition see next section). On the other hand, we also prove that the influence of the history – the already sent documents – dramatically limits the security of stegosystems in the realistic non-look-ahead model: We show that no stegosystem can be SS-CCA-secure against all 0-memoryless channels in the non-look-ahead model. In these channels, the influence of the history is minimal. We thereby demonstrate a clear dichotomy result for universal public-key steganography: While memoryless channels do exhibit an SS-CCA-secure stegosystem, the introduction of the history prevents this kind of security.
Our Contribution. As noted above, the stegosystem of Backes and Cachin has the drawback that it achieves a weaker security than SS-CCA-security while it works on every channel [3]. On the other hand, the stegosystem of Hopper achieves SS-CCA-security but is specialized to a single channel [21]. We prove (under the assumption of the existence of doubly-enhanced trapdoor permutations and collision-resistant hash functions) that there is a stegosystem that is SS-CCA-secure on a large class of channels (namely the memoryless ones). The main technical novelty is a method to generate covertexts for the message m such that finding a second sequence of covertexts that encodes m is hard. Hopper achieves this at the cost of the universality of his system, while we still allow a very large class of channels. We thereby answer the question of Hopper in the affirmative, in case of memoryless channels. Note that before this work, it was not even known whether an SS-CCA-secure stegosystem exists that works for some class of channels (Hopper’s system only works on a single channel that is hard-wired into the system). Furthermore, we prove that SS-CCA-security for memoryless channels is the best possible in a very natural model: If the history influences the channel distribution in a minor way, i.e. only by its length, we prove that SS-CCA-security is not achievable in the standard non-look-ahead model of von Ahn and Hopper. In Table 1, we compare our results with previous works.
Related Results. Anderson and Petitcolas [1] and Craver [12], have both, even before the publication of the work by von Ahn and Hopper [38, 39], described ideas for public-key steganography, however, with only heuristic arguments for security. Van Le and Kurosawa [28] showed that every efficiently sampleable channel has an SS-CCA-secure public-key stegosystem. A description of the channel is built into the stegosystem and it makes use of a pseudo-random generator \( \mathsf {G}\) that encoder and decoder share. But the authors make a strong assumption concerning changes of internal states of \( \mathsf {G}\) each time the embedding operation is performed, which does not fit into the usual models of cryptography and steganography. Lysyanskaya and Meyerovich [32] investigated the influence of the sampling oracle on the security of public key stegosystems with passive attackers. They prove that the stegosystem of von Ahn and Hopper [39] becomes insecure if the approximation of the channel distribution by the sampling oracle deviates only slightly from the correct distribution. They also construct a channel, where no incorrect approximation of the channel yields a secure stegosystem. This strengthens the need for universal stegosystems, as even tiny approximation errors of the channel distribution may lead to huge changes with regard to the security of the system. Fazio et al. [17] extended public-key steganography to the multi-recipient setting, where a single sender communicates with a dynamically set of receivers. Their system is designed such that no outside party and no unauthorized user is able to detect the presence of these broadcast communication. Cho et al. [11] upgraded the covert multi-party computation model of Chandran et al. [9] to the concurrent case and gave protocols for several fundamental operations, e.g. string equality and set intersection. Their steganographic (or covert) protocols are based upon the decisional Diffie-Hellman problem.
The paper is organized as follows. Section 2 contains the basic definitions and notations. In Sect. 3, we give an example attack on the stegosystem of Backes and Cachin to highlight the differences between SS-RCCA-security and SS-CCA-security. The following Sect. 4 contains a high-level view of our construction. Section 5 uses the results of [21] to prove that one can construct cryptosystems with ciphertexts that are indistinguishable from a distribution on bitstrings related to the hypergeometric distribution, which we will need later on. The main core of our protocol is an algorithm to order the documents in an undetectable way that still allows us to transfer information. This ordering is described in Sect. 6. Our results concerning the existence of SS-CCA-secure steganography for every memoryless channel are then presented and proved in Sect. 7. Finally, Sect. 8 contains the impossibility result for SS-CCA-secure stegosystems in the non-look-ahead model on 0-memoryless channels.
In order to improve the presentation, we moved proofs of some technical statements to the appendix.
2 Definitions and Notation
If S is a finite set, we write \(x\twoheadleftarrow S\) to denote the random assignment of a uniformly chosen element of S to x. If A is a probability distribution or a randomized algorithm, we write \(x\leftarrow A\) to denote the assignment of the output of A, taken over the internal coin-flips of A.
As our cryptographic and steganographic primitives will be parameterized by the key length \(\kappa \), we want that the ability of any polynomial algorithm to attack this primitives is lower than the inverse of all polynomials in \(\kappa \). This is modeled by the definition of a negligible function. A function \(\mathsf {negl}:\mathbb {N}\rightarrow [0,1]\) is called negligible, if for every polynomial p, there is an \(N_{0}\in \mathbb {N}\) such that \(\mathsf {negl}(N) < p(N)^{-1}\) for every \(N\ge N_{0}\). For a probability distribution D on support X, the min-entropy \(H_{\infty }(D)\) is defined as \(\inf _{x\in X}\{-\log D(x)\}\).
We also need the notion of a strongly 2-universal hash function, which is a set of functions G mapping bitstrings of length \(\ell \) to bitstrings of length \(\ell ' < \ell \) such that for all \(x,x'\in \{0,1\}^{\ell }\) with \(x\ne x'\) and all (not necessarily different) \(y,y'\in \{0,1\}^{\ell '}\), we have \(|\{f\in G\mid f(x)=y \wedge f(x')=y'\}|=\frac{|G|}{2^{2\ell '}}\). If \(\ell /\ell '\in \mathbb {N}\), a typical example of such a family is the set of functions
\(\{x\mapsto \left( \sum _{i=1}^{\ell /\ell '}a_{i}x_{i}+b\right) \bmod 2^{\ell '} \mid a_{1},\ldots ,a_{\ell /\ell '},b\in \{0,\ldots ,2^{\ell '}-1\}\},\)
where \(x_{i}\) denotes the i-th block of length \(\ell '\) of x and we implicitly use the canonical bijection between \(\{0,1\}^{n}\) and the finite field \(\{0,\ldots ,2^{n}-1\}\). See e.g. the textbook of Mitzenmacher and Upfal [33] for more information on this. For two polynomials \(\ell \) and \(\ell '\), a strongly 2-universal hash family is a family \(\mathcal {G}=\{G_{\kappa }\}_{\kappa \in \mathbb {N}}\) such that every \(G_{\kappa }\) is a strongly 2-universal hash function mapping strings of length \(\ell (\kappa )\) to strings of length \(\ell '(\kappa )\).
Channels and Stegosystems. In order to be able to embed messages into unsuspicious communication, we first need to provide a definition for this. We model the communication as an unidirectional transfer of documents that we will treat as strings of length n over a constant-size alphabet \(\varSigma \). The communication is defined via the concept of a channel \(\mathcal {C}\) on \(\varSigma \): A function, that maps, for every \(n\in \mathbb {N}\), a history \(\mathsf {hist}\in (\varSigma ^{n})^{*}\) to a probability distribution on \(\varSigma ^{n}\). We denote this probability distribution by \(\mathcal {C}_{\mathsf {hist},n}\) and its min-entropy \(H_{\infty }(\mathcal {C},n)\) as \(\min _{\mathsf {hist}}\{H_{\infty }(\mathcal {C}_{\mathsf {hist},n})\}\).
Definition 1
We say that a channel \(\mathcal {C}\) is memoryless, if \(\mathcal {C}_{\mathsf {hist},n}=\mathcal {C}_{\mathsf {hist}',n}\) for all \(\mathsf {hist},\mathsf {hist}'\), i.e. if the history has no effect on the channel distribution.
Note the difference between memoryless and 0-memoryless channels of Lysyanskaya and Meyerovich [32], where only the length of the history has an influence on the channel, since the channel distributions are described by the use of memoryless Markov chains:
Definition 2
([32]). A channel \(\mathcal {C}\) is 0-memoryless, if \(\mathcal {C}_{\mathsf {hist},n}=\mathcal {C}_{\mathsf {hist}',n}\) for all \(\mathsf {hist},\mathsf {hist}'\) such that \(|\mathsf {hist}|=|\mathsf {hist}'|\).
A stegosystem \(\mathsf {PKStS}\) tries to embed messages of length \(\mathsf {PKStS}\,\!.\,\!\mathsf {ml}\) into \(\mathsf {PKStS}\,\!.\,\!\mathsf {ol}\) documents of the channel \(\mathcal {C}\) that each have size \(\mathsf {PKStS}\,\!.\,\!\mathsf {dl}\), such that this sequence is indistinguishable from a sequence of typical documents. A public-key stegosystem \(\mathsf {PKStS}\) with message length \(\mathsf {PKStS}\,\!.\,\!\mathsf {ml}:\mathbb {N}\rightarrow \mathbb {N}\), document length \(\mathsf {PKStS}\,\!.\,\!\mathsf {dl}:\mathbb {N}\rightarrow \mathbb {N}\), and output length \(\mathsf {PKStS}\,\!.\,\!\mathsf {ol}:\mathbb {N}\rightarrow \mathbb {N}\) (all functions of the security parameter \(\kappa \)) is a triple of polynomial probabilistic Turing machines (PPTMs) \([\mathsf {PKStS}\,\!.\,\!\mathsf {Gen},\mathsf {PKStS}\,\!.\,\!\mathsf {Enc},\mathsf {PKStS}\,\!.\,\!\mathsf {Dec}]\)Footnote 1 with the functionalities:
-
The key generation \(\mathsf {Gen}\) on input \(1^{\kappa }\) produces a pair \((\textit{pk},\textit{sk})\) consisting of a public key \(\textit{pk}\) and a secret key \(\textit{sk}\) (we assume that \(\textit{sk}\) also fully contains \(\textit{pk}\)).
-
The encoding algorithm \(\mathsf {Enc}\) takes as input the public key \(\textit{pk}\), a message \(m\in \{0,1\}^{\mathsf {ml}(\kappa )}\), a history \(\mathsf {hist}\in (\varSigma ^{\mathsf {dl}(\kappa )})^{*}\) and some state information \(s\in \{0,1\}^{*}\) and produces a document \(d\in \varSigma ^{\mathsf {dl}(\kappa )}\) and state information \(s'\in \{0,1\}^{*}\) by being able to sample from \(\mathcal {C}_{\mathsf {hist},\mathsf {dl}(\kappa )}\). By \(\mathsf {Enc}^{\mathcal {C}}(\textit{pk},m,\mathsf {hist})\), we denote the complete output of \(\mathsf {ol}(\kappa )\) documents one by one. Note that generally, the encoder needs to decide upon document \(d_{i}\) before it is able to get samples for the \((i+1)\)-th document, as in the secret-key model of Hopper et al. [23, Sect. 2, “channel access”] and the public-key model of von Ahn and Hopper [38, 39, Sect. 3]. This captures the notion that an attacker should have as much information as possible while the stegosystem is not able to look-ahead into the future. To highlight this restriction, we call this model the non-look-ahead model. Note that this is no restriction for memoryless channels.
-
The decoding algorithm \(\mathsf {Dec}\) takes as input the secret key \(\textit{sk}\), a sequence of documents \(d_{1},\ldots ,d_{\mathsf {ol}(\kappa )}\), history \(\mathsf {hist}\) and outputs a message \(m'\).
The following properties are essential for stegosystems \(\mathsf {PKStS}\) with output length \(\ell =\mathsf {PKStS}\,\!.\,\!\mathsf {ol}(\kappa )\). It is universal (black box), if it works on every channel without prior knowledge of the probability distribution of the channel. Clearly channels with too small min-entropy (such as deterministic channels) are not suitable for steganographic purposes. We thus concentrate only on channels with sufficiently large min-entropy.
The system is reliable if the probability that the decoding fails is bounded by a negligible function. Formally, the unreliability \(\mathbf {UnRel}_{\mathsf {PKStS},\mathcal {C}}(\kappa )\) is defined as probability that the decoding fails, i.e.
The system \(\mathsf {PKStS}\) is secure, if every polynomial attacker \(\mathsf {W}\) (the warden) has only negligible success probability. \(\mathsf {W}\) works in two phases: In the first phase (called \(\mathsf {W}\,\!.\,\!\mathsf {Find}\)), the warden has access to the channel \(\mathcal {C}\) and to a decoding oracle \(\mathsf {Dec}_{\textit{sk}}(\cdot )\), that returns upon input \(d_{1},\ldots ,d_{\ell }\) and \(\mathsf {hist}\) the same result as \(\mathsf {PKStS}\,\!.\,\!\mathsf {Dec}(\textit{sk},(d_{1},\ldots ,d_{\ell }),\mathsf {hist})\). At the end of the first phase, the warden chooses a message \(m^{*}\) and a history \(\mathsf {hist}^{*}\).
At the beginning of the second phase (called \(\mathsf {W}\,\!.\,\!\mathsf {Guess}\)), the warden gets a sequence of documents \(\varvec{d}^{*}=d_{1}^{*},\ldots ,d_{\ell }^{*}\), which is with probability of \(50\%\) the result of \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}^{\mathcal {C}}(\textit{pk},m^{*},\mathsf {hist}^{*})\) and with probability of \(50\%\) just the result of sampling \(\ell \) random documents from \(\mathcal {C}_{\mathsf {hist}^{*},n}\), which we denote as \(\mathcal {C}_{\mathsf {hist}^{*},n}^{\ell }\). Speaking more precisely, this sampling is done as follows: \(d^{*}_i\leftarrow \mathcal {C}_{\mathsf {hist}^{*}\mid \mid d^{*}_1\mid \mid \ldots \mid \mid d^{*}_{i-1},n}\) for \(i=1,\ldots ,\ell \). Next, the warden should distinguish between these two cases by having access to another decoding oracle. Depending on the oracle type, two definitions for security were proposed by Backes and Cachin in [3].
In the SS-CCA-model (chosen covertext attack), the decoding oracle, denoted as \(\mathsf {Dec}_{\textit{sk},\varvec{d}^{*}}(\cdot )\), works like \(\mathsf {Dec}_{\textit{sk}}(\cdot )\) on every input different from \(\varvec{d}^{*}\). If \(\mathsf {Dec}_{\textit{sk},\varvec{d}^{*}}(\cdot )\) is called with input \(\varvec{d}^{*}\), it simply returns \(\bot \). In the weaker SS-RCCA-model (restricted chosen ciphertext attack), the decoding oracle, denoted as \(\mathsf {Dec}_{\textit{sk},\varvec{d}^{*},m^{*}}(\cdot )\), works like \(\mathsf {Dec}_{\textit{sk}}(\cdot )\) on most inputs: If the input d equals \(\varvec{d}^{*}\) or is a valid encoding of \(m^{*}\) (a replay of \(\varvec{d}^{*}\)), the oracle simply returns \(\bot \).
Formally, SS-CCA-security is defined by the SS-CCA-security game given below and the advantage of \(\mathsf {W}=[\mathsf {W}\,\!.\,\!\mathsf {Find},\mathsf {W}\,\!.\,\!\mathsf {Guess}]\) is defined as
A stegosystem \(\mathsf {PKStS}\) is called SS-CCA-secure against channel \(\mathcal {C}\) if for some negligible function \(\mathsf {negl}\) and all wardens \(\mathsf {W}\), we have \(\mathbf {Adv}^{{\text {ss-cca}}}_{\mathsf {W},\mathsf {PKStS},\mathcal {C}}(\kappa )\le \mathsf {negl}(\kappa )\). We define SS-RCCA-security analogously, where the \(\mathsf {Guess}\) phase uses \(\mathsf {Dec}_{\textit{sk},\varvec{d}^{*},m^{*}}\) as decoding oracle. Formally, a stegosystem is universally SS-CCA-secure (or just universal), if it is SS-CCA-secure against all channels of sufficiently large (i.e. super-logarithmic in \(\kappa \)) min-entropy.
Cryptographic Primitives. Due to space constraints, we only give informal definitions of the used cryptographic primitives and refer the reader to the textbook of Katz and Lindell [24] for complete definitions.
We will make use of different cryptographic primitives, namely hash functions, pseudorandom permutations and CCA-secure cryptosystems. A collision-resistant hash function (CRHF) \( \mathsf {H}=( \mathsf {H}\,\!.\,\!\mathsf {Gen}, \mathsf {H}\,\!.\,\!\mathsf {Eval})\) is a pair of PPTMs such that \( \mathsf {H}\,\!.\,\!\mathsf {Gen}\) upon input \(1^{\kappa }\) produces a key \(k\in \{0,1\}^{\kappa }\). The keyed function \( \mathsf {H}\,\!.\,\!\mathsf {Eval}\) takes the key \(k\leftarrow \mathsf {H}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\) and a string \(x\in \{0,1\}^{ \mathsf {H}\,\!.\,\!\mathsf {in}(\kappa )}\) and produces a string \( \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k}(x)\) of length \( \mathsf {H}\,\!.\,\!\mathsf {out}(\kappa ) < \mathsf {H}\,\!.\,\!\mathsf {in}(\kappa )\). The probability of every PPTM \(\mathsf {Fi}\) to find a collision – two strings \(x\ne x'\) such that \( \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k}(x)= \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k}(x')\) – upon random choice of k is negligible. For a set X, denote by \(\mathsf {Perms}(X)\) the set of all permutations on X. A pseudorandom permutation (PRP) \( \mathsf {P}=( \mathsf {P}\,\!.\,\!\mathsf {Gen}, \mathsf {P}\,\!.\,\!\mathsf {Eval})\) is a pair of PPTMs such that \( \mathsf {P}\,\!.\,\!\mathsf {Gen}\) upon input \(1^{\kappa }\) produces a key \(k\in \{0,1\}^{\kappa }\). The keyed function \( \mathsf {P}\,\!.\,\!\mathsf {Eval}\) takes the key \(k\leftarrow \mathsf {P}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\) and is a permutation on the set \(\{0,1\}^{ \mathsf {P}\,\!.\,\!\mathsf {in}(\kappa )}\). An attacker \(\mathsf {Dist}\) (the distinguisher) is given black-box access to \(P\twoheadleftarrow \mathsf {Perms}(\{0,1\}^{ \mathsf {P}\,\!.\,\!\mathsf {in}(\kappa )})\) or to \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k}\) for a randomly chosen k and should distinguish between those scenarios. The success probability of every \(\mathsf {Dist}\) is negligible. A public key encryption scheme (PKES) \(\mathsf {PKES}=(\mathsf {PKES}\,\!.\,\!\mathsf {Gen},\mathsf {PKES}\,\!.\,\!\mathsf {Enc},\mathsf {PKES}\,\!.\,\!\mathsf {Dec})\) is a triple of PPTMs such that \(\mathsf {PKES}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\) produces a pair of keys \((\textit{pk},\textit{sk})\) with \(|\textit{pk}| = \kappa \) and \(|\textit{sk}| = \kappa \). The key \(\textit{pk}\) is called the public key and the key \(\textit{sk}\) is called the secret key (or private key). The encryption algorithm \(\mathsf {PKES}\,\!.\,\!\mathsf {Enc}\) takes as input \(\textit{pk}\) and a plaintext \(m\in \{0,1\}^{\mathsf {PKES}\,\!.\,\!\mathsf {ml}(\kappa )}\) of length \(\mathsf {PKES}\,\!.\,\!\mathsf {ml}(\kappa )\) and outputs a ciphertext \(c\in \{0,1\}^{\mathsf {PKES}\,\!.\,\!\mathsf {cl}(\kappa )}\) of length \(\mathsf {PKES}\,\!.\,\!\mathsf {cl}(\kappa )\). The decryption algorithm \(\mathsf {PKES}\,\!.\,\!\mathsf {Dec}\) takes as input \(\textit{sk}\) and the ciphertext c and produces a plaintext \(m\in \{0,1\}^{\mathsf {PKES}\,\!.\,\!\mathsf {ml}(\kappa )}\). Informally, we will allow an attacker \(\mathsf {A}\) to first choose a message \(m^{*}\) that should be encrypted and denote this by \(\mathsf {A}\,\!.\,\!\mathsf {Find}\). In the next step (\(\mathsf {A}\,\!.\,\!\mathsf {Guess}\)), the attacker gets \(c^{*}\), which is either \(\mathsf {Enc}(\textit{pk},m^{*})\) or a random bitstring. He is allowed to decrypt ciphertexts different from \(c^{*}\) and his task is to distinguish between these two cases. This security notion is known as security against chosen-ciphertext$ attack (CCA$s). For an attacker \(\mathsf {A}\) on cryptographic primitive \(\varPi \in \{\text {hash},\text {prp},\text {pkes}\}\) with implementation X, we write \(\mathbf {Adv}^{\varPi }_{\mathsf {A},X,\mathcal {C}}(\kappa )\) for the success probability of \(\mathsf {A}\) against X relative to channel \(\mathcal {C}\), i.e. the attacker \(\mathsf {A}\) also has access to a sampling oracle of \(\mathcal {C}\). In case of encryption schemes, the superscript cca$ is used instead of \(\text {pkes}\).
Due to the works [16, 18, 31, 34] we know that CCA$-secure cryptosystems and PRPs can be constructed from doubly-enhanced trapdoor permutations resp. one-way functions, while CRHFs can not be constructed from them in a black-box way, as Simon showed an oracle-separation in [37].
3 Detecting the Scheme of Backes and Cachin
In order to understand the difference between SS-CCA-security and the closely related, but weaker, SS-RCCA-security, we give a short presentation of the universal SS-RCCA-stegosystem of Backes and Cachin [3]. We also show that their system is not SS-CCA-secure, which was already noted by Hopper in [21]. The proof of insecurity nicely illustrates the difference between the security models. It also highlights the main difficulty of SS-CCA-security: One needs to prevent so called replay attacks, where the warden constructs upon stegotext c another stegotext \(c'\) – the replay of c – that embeds the same message as c.
Backes and Cachin [3] showed that there is a universal SS-RCCA-secure stegosystem under the assumption that a replayable chosen-covertext$ (RCCA$)-secure cryptosystem exists.Footnote 2 They make use of a technique called rejection sampling. Let \(\{G_{\kappa }\}_{\kappa \in \mathbb {N}}\) be a strongly 2-universal hash function family, \(f\in G_{\kappa }\) a function, \(\mathcal {C}\) be a channel, \(\mathsf {hist}\) be a history and \(b\in \{0,1\}\) be a bit. The algorithm \(\mathsf {rejsam}(f,\mathcal {C},b,\mathsf {hist})\) samples documents \(d\leftarrow \mathcal {C}_{\mathsf {hist},\mathsf {dl}(\kappa )}\) until it finds a document \(d^{*}\) such that \(f(d^{*})=b\) or until it has sampled \(\kappa \) documents. If \(\mathsf {PKES}\) is an RCCA$-secure cryptosystem, they define a stegosystem that computes \((b_{1},\ldots ,b_{\ell })\leftarrow \mathsf {PKES}\,\!.\,\!\mathsf {Enc}(\textit{pk},m)\) and then sends \(d_{1},d_{2},\ldots ,d_{\ell }\), where \(d_{i}\leftarrow \mathsf {rejsam}(f,\mathcal {C},b_{i}, \mathsf {hist}|| d_{1} || \ldots || d_{i-1})\). The function \(f\in G_{\kappa }\) is also part of the public key. The system is universal as it does not assume any knowledge on \(\mathcal {C}\).
They then prove that this stegosystem is SS-RCCA-secure. And indeed, one can show that their stegosystem is not SS-CCA-secure by constructing a generic warden \(\mathsf {W}\) that works as follows: The first phase \(\mathsf {W}\,\!.\,\!\mathsf {Find}\) chooses as message \(m^{*}=00\cdots 0\) and as \(\mathsf {hist}^{*}\) the empty history \(\varnothing \). The second phase \(\mathsf {W}\,\!.\,\!\mathsf {Guess}\) gets \(\varvec{d}^{*}={d}^{*}_{1},\ldots ,{d}^{*}_{\ell }\) which is either a sequence of random documents or the output of the stegosystem on \(\textit{pk}\), \(m^{*}\), and \(\mathsf {hist}^{*}\). The warden \(\mathsf {W}\) now computes another document \(d'\) via rejection sampling that embedds \(f(d^{*}_{\ell })\) (the replay of \(\varvec{d}^{*}\)) and decodes \({d}^{*}_{1},\ldots ,{d}^{*}_{\ell -1},{d}'\) via the decoder of the rejection sampling stegosystem. It then returns 0 if the returned message \(m'\) consists only of zeroes. If \(\varvec{d}^{*}\) was a sequence of random documents, it is highly unlikely that \(\varvec{d}^{*}\) decodes to a message that only consists of zeroes. If \(\varvec{d}^{*}\) was produced by the stegosystem, the decoder only returns something different from the all-zero-message if \(d'={d}^{*}_{\ell }\) which is highly unlikely. The warden \(\mathsf {W}\) has advantage of \(1-\mathsf {negl}(\kappa )\) and the stegosystem is thus not SS-CCA-secure. Backes and Cachin posed the question whether a universal SS-CCA-secure stegosystem exists.
4 An High-Level View of Our Stegosystem
The stegosystem of Backes and Cachin only achieves SS-RCCA-security as a single ciphertext has many different possible encodings in terms of the documents used. Hopper achieves SS-CCA-security by limiting those encodings: Due to the sampleability of the channel, each ciphertext has exactly one deterministic encoding in terms of the documents. While Hopper achieves SS-CCA-security, he needs to give up the universality of the stegosystem, as a description of the channel is hard-wired into the stegosystem. In order to handle as many channels as possible, we will allow many different encodings of the same ciphertext, but make it hard to find them for anyone but the stegoencoder. To simplify the presentation, we focus on the case of embedding a single bit per document. Straightforward modifications allow embedding of \(\log (\kappa )\) bits.
Our stegosystem, named \(\mathsf {PKStS}^{*}\) will use the following approach to encode a message m: It first samples, for sufficiently large N, a set D of N documents from the channel \(\mathcal {C}\) and uses a strongly 2-universal hash function \(f\in G_{\kappa }\) to split these documents into documents \(D_0\) that encode bit 0 (i.e. \(D_{0}=\{d\in D\mid f(d)=0\}\)) and \(D_1\) that encode bit 1 (i.e. \(D_{1}=\{d\in D\mid f(d)=1\}\)). Now we encrypt the message m via a certain public-key encryption system, named \(\mathsf {PKES}^{*}\) (described in the next section), and obtain a ciphertext \(\varvec{b}=b_{1},\ldots ,b_{L}\) of length \(L=\lfloor N/8 \rfloor \). Next our goal is to order the documents in D into a sequence \(\varvec{d}=d_{1},\ldots ,d_{N}\) such that the first L documents \(d_{1},\ldots ,d_{L}\) encode \(\varvec{b}\) (i.e. \(f(d)_{i}=b_{i}\)). This ordering is performed by the algorithm \( \mathsf {generate}\). However, the attacker still has several possibilities for a replay attack on this scheme, for example:
-
He could exchange some document \(d_{i}\) by another document \(d'_{i}\) with \(f(d_{i})=f(d'_{i})\) (as f is publicly known) and the sequence \(d_{1},\ldots ,d_{i-1},d'_{i},d_{i+1},\ldots ,d_{N}\) would be a replay of \(\varvec{d}\). Such attacks will be called sampling attacks. To prevent the attacker from exchanging a sampled document by a non-sampled one, we also encode a hash-value of all sampled documents D and transmit this hash value to Bob.
-
The attacker can exchange documents \(d_{i}\) and \(d_{j}\), with \(i < j\) and \(f(d_{i})=f(d_{j})\), and the resulting sequence \(d_{1},\ldots ,d_{i-1},d_{j},d_{i+1},\ldots ,d_{j-1},d_{i},d_{j+1},\ldots ,d_{N} \) would be a replay of \(\varvec{d}\). Such attacks will be called ordering attacks. We thus need to prevent the attacker from exchanging the positions of sampled documents. We achieve this by making sure that the ordering of the documents generated by \( \mathsf {generate}\) is deterministic, i.e. for each set of documents D and each ciphertext \(\varvec{b}\), the ordering \(\varvec{d}\) generated by \( \mathsf {generate}\) is deterministic. This property is achieved by using PRPs to sort the sampled documents D. The corresponding keys of the PRPs are also transmitted to Bob and the stegodecoder can thus also compute this deterministic ordering.
In total, our stegoencoder \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) works on a secret message m and on a publicly known hash-function f as follows:
-
1.
Sample N documents D from the channel;
-
2.
Get a hash-key \(k_{ \mathsf {H}}\) and compute a hash-value \(h= \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {H}}}(\text {lex}(D))\) of the sampled documents, where \(\text {lex}(D)\) denotes the sequence of elements of D in lexicographic order. This prevents sampling attacks, where a sampled document is replaced by a non-sampled one;
-
3.
Get twoFootnote 3 PRP-keys \(k_{ \mathsf {P}}\) and \(k'_{ \mathsf {P}}\) that will be used to determine the unique ordering of the documents in D via \( \mathsf {generate}\). This prevents ordering attacks, where the order of the sampled documents is switched;
-
4.
Encrypt the concatenation of \(m, k_{ \mathsf {H}}, k_{ \mathsf {P}}, k'_{ \mathsf {P}}, h\) via a certain public key encryption scheme \(\mathsf {PKES}^{*}\) and obtain the ciphertext \(\varvec{b}\) of length \(L=\lfloor N/8 \rfloor \). As long as \(\mathsf {PKES}^{*}\) is secure, the stegodecoder is thus able to verify whether all sampled documents were sent and can also verify the ordering of the documents.
-
5.
Compute the ordering \(\varvec{d}\) of the documents D via \( \mathsf {generate}\) that uses the PRP keys \(k_{ \mathsf {P}}\) and \(k'_{ \mathsf {P}}\) to determine the ordering of the documents. It also uses the ciphertext \(\varvec{b}\) to guarantee that the first L send documents encode the ciphertext \(\varvec{b}\), i.e. \(b_1\ldots b_L=f(d_1)\ldots f(d_L)\);
-
6.
Send the ordering of the documents \(\varvec{d}\).
To decode a sequence of documents \(\varvec{d} = d_1,\ldots ,d_{N}\), the stegodecoder of \(\mathsf {PKStS}^{*}\) computes the ciphertext \(b_1=f(d_1),\ldots ,b_{L}=f(d_{L})\) encoded in the first L documents of \(\varvec{d}\). It then decodes this ciphertext \(b_1\ldots b_L\) via \(\mathsf {PKES}^{*}\) to obtain the message m, the PRP keys \(k_{ \mathsf {P}}\) and \(k'_{ \mathsf {P}}\), the hash-key \(k_{ \mathsf {H}}\) and the hash-value h. First it verifies the hash-value by checking whether \( \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {H}}}(\text {lex}(\{d_1,\ldots ,d_N\}))\) equals the hash-value h to prevent sampling attacks. It then uses the PRP keys \(k_{ \mathsf {P}}\) and \(k'_{ \mathsf {P}'}\) to compute an ordering of the received documents via \( \mathsf {generate}\) to verify that no ordering attack was used. If these validations are successful, the decoder \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}\) returns m; Otherwise, it concludes that \(\varvec{d}\) is not a valid stegotext and returns \(\bot \).
Intuitively, it is clear that a successful sampling attack on this scheme would break the collision-resistant hash function \( \mathsf {H}\), as it needs to create a collision of \(\text {lex}(D)\) in order to pass the first verification step. Furthermore, a successful ordering attack would need manipulate the ciphertext \(\varvec{b}\) and thus break the security of the public key encryption scheme \(\mathsf {PKES}^{*}\), as the PRP keys \(k_{ \mathsf {P}}\) and \(k'_{ \mathsf {P}}\) guarantee a deterministic ordering of the documents.
As explained above, our stegoencoder computes the ordering \(\varvec{d}= d_1,\ldots ,d_{N}\) of the documents \(D=\{d_1,\ldots ,d_{N}\}\) via the deterministic algorithm \( \mathsf {generate}\), that is given the following parameters: the set of documents D, the hash-function f and the ciphertext \(\varvec{b}\) to ensure that the first documents of the ordering encode \(\varvec{b}\). It has furthermore access to the PRP keys \(k_{ \mathsf {P}}\) and \(k'_{ \mathsf {P}}\) that guarantee a deterministic ordering of the documents in D and thus prevents ordering attacks. As the ordering \(\varvec{d}\) produced by \( \mathsf {generate}\) is sent by the stegoencoder, this ordering must be indistinguishable from a random permutation on D (which equals the channel distribution) in order to be undetectable. As \(f(d_1)=b_1,\ldots , f(d_L)=b_L\), not every distribution upon the ciphertext \(\varvec{b}\) can be used to guarantee that \(\varvec{d}\) is indistinguishable from a uniformly random permutation. This indistinguishability is guaranteed by requiring that the ciphertext \(\varvec{b}\) is distributed according to a certain distribution corresponding to a random process modeled by drawing black and white balls from an urn without replacement. In our setting, the documents in D will play the role of the balls and the coloring is given by the function f.
Section 5 describes this random process in detail and proves that we can indeed construct a public-key encryption system that produces ciphertexts that are indistinguishable from this process. Section 6 contains a formal description of \( \mathsf {generate}\), proves that no attacker can produce a replay of its output and shows that the generated permutation is indeed indistinguishable from a random permutation. Finally, Sect. 7 contains the complete description of the stegosystem.
5 Obtaining Biased Ciphertexts
We will now describe a probability distribution and show how one can derive a symmetric encryption scheme with ciphertexts that are indistinguishable from this distribution. In order to do this, we first define a channel that represents the required probability distribution together with appropriate parameters, use Theorem 3 to derive a stegosystem for this channel, and finally derive a cryptosystem from this stegosystem.
Based upon a CCA$-secure public-key cryptosystem \(\mathsf {PKES}\), Hopper [21] constructs for every efficiently sampleable channel \(\mathcal {C}\) an SS-CCA-secure stegosystem \(\mathsf {PKStS}_{\mathcal {C}}\) by “derandomizing” the rejection sampling algorithm. The only requirement upon the channel \(\mathcal {C}\) is the existence of the efficient sampling algorithm and that the stegoencoder and the stegodecoder use the same sampling algorithm. Importantly, due to the efficient sampleability of \(\mathcal {C}\), the encoder of \(\mathsf {PKStS}_{\mathcal {C}}\) does not need an access to the sample oracle. Thus, we get the following result.
Theorem 3
(Theorem 2 in [21]). If \(\mathcal {C}\) is an efficiently sampleable channel and \(\mathsf {PKES}\) is a CCA$-secure public-key cryptosystem (which can be constructed from doubly enhanced trapdoor permutationsFootnote 4) then there is a stegosystem \(\mathsf {PKStS}_{\mathcal {C}}\) (without an access to the sample oracle) such that for all wardens \(\mathsf {W}\) there is a negligible function \(\mathsf {negl}\) such that
Note that the system \(\mathsf {PKStS}_{\mathcal {C}}\) is guaranteed to be secure (under the assumption that CCA$-secure public-key cryptosystems exist), if the channel \(\mathcal {C}\) is efficiently sampleable and has min-entropy \(\omega (\log \kappa )\). We call such a channel suitable.
The probability distribution for the ciphertexts we are interested in is the distribution for the bitstrings \(\varvec{b}\) we announced in the previous section. As we will see later, the required probability can be described equivalently as follows:
-
We are given N elements: \(N_{0}\) of them are labeled with 0 and the remaining \(N-N_{0}\) elements are labeled with 1.
-
We draw randomly a sequence of K elements from the set (drawing without replacements) and look at the generated bitstring \(\varvec{b}=b_{1}\ldots b_{K}\) of length K determined by the labels of the elements.
We will assume that there are enough elements of both types, i.e. that \(N_{0}\ge K\) and \(N-N_{0}\ge K\). The resulting probability distribution, denoted as \(D^{*}_{(N,N_{0},K)}\), upon bitstrings of length K is then given as
where \(|\varvec{b}|_{0}\) denotes the number of zero bits in \(\varvec{b}=b_{1},\ldots ,b_{K}\) and \(|\varvec{b}|_{1}\) the number of one bits in \(\varvec{b}\). Note that the distribution on the number of zeroes within such bitstrings is a hypergeometric distribution with parameters N, \(N_{0}\), and K.
Now we will construct a channel \(\mathcal {C}^{*}\) upon key parameter \(\kappa \) with document length \(n=\mathsf {dl}(\kappa )=\kappa \). In the definition below, \(\text {bin}(x)_{y}\) denotes the binary representation of length exactly y for the integer x.
-
For the empty history \(\varnothing \), let \(\mathcal {C}^{*}_{\varnothing ,\kappa }\) be the uniform distribution on all strings \(\text {bin}(N)_{\lceil \kappa /2 \rceil }\text {bin}(N_{0})_{\lfloor \kappa /2 \rfloor }\) that range over all positive integers \(N,N_0\le 2^{ \lfloor \kappa /2 \rfloor }\) such that \(N\ge 8\kappa \) and \(1/3 \le N_{0}/N \le 2/3\) (in our construction we need initially a stronger condition than just \(N_{0}\ge \kappa \) and \(N-N_{0}\ge \kappa \)).
-
If the history is of the form \(\mathsf {hist}'=\text {bin}(N)_{\lceil \kappa /2 \rceil }\text {bin}(N_{0})_{\lfloor \kappa /2 \rfloor }\mathsf {hist}\) for some \(\mathsf {hist}\in \{0,1\}^{*}\) then we consider two cases: if \(|\mathsf {hist}|\le \frac{1}{8}N\) then the distribution \(\mathcal {C}^{*}_{\mathsf {hist}',\kappa }\) equals \(D^{*}_{(N-|\mathsf {hist}|,N_{0}-|\mathsf {hist}|_{0},\kappa )}\); Otherwise, i.e. if \(|\mathsf {hist}|> \frac{1}{8}N\) then \(\mathcal {C}^{*}_{\mathsf {hist}',\kappa }\) equals the uniform distribution over \(\{0,1\}^{\kappa }\).
It is easy to see that the min-entropy \(H_{\infty }(\mathcal {C}^{*},n)=\min _{\mathsf {hist}'}\{H_{\infty }(\mathcal {C}^{*}_{\mathsf {hist}',n})\}\) of the channel \(\mathcal {C}^{*}\) is obtained for the history \(\mathsf {hist}'=\text {bin}(N)_{\lceil \kappa /2 \rceil }\text {bin}(N_{0})_{\lfloor \kappa /2 \rfloor } \mathsf {hist}\), with \(8\kappa \le N \le 2^{ \lfloor \kappa /2 \rfloor }\) and such that (i) \(N_0=\frac{1}{3}N\) and \(\mathsf {hist}=00\ldots 0\) of length \(\frac{1}{8}N-\kappa \) or (ii) \(N_0=\frac{2}{3}N\) and \(\mathsf {hist}=11\ldots 1\) of length \(\frac{1}{8}N-\kappa \). In the first case we get that the min-entropy of the distribution \(\mathcal {C}^{*}_{\mathsf {hist}',n}\) is achieved on the bitstring \(11\ldots 1\) of length \(\kappa \) and in the second case on \(00\ldots 0\) of length \(\kappa \). By Eq. (1) the probabilities to get such strings are equal to each other and, since \(\kappa \le N/8\), they can be estimated as follows:
Thus, we get that \(H_{\infty }(\mathcal {C}^{*},n)\ge \kappa \log (9/8) \).
Moreover one can efficiently simulate the choice of \(N, N_{0}\), the sampling process of \(D^{*}_{(N,N_{0},\kappa )}\) and the uniform sampling in \(\{0,1\}^{\kappa }\). Therefore we can conclude
Lemma 4
The channel \(\mathcal {C}^{*}\) is suitable, i.e. it is efficiently sampleable and has min-entropy \(\omega (\log \kappa )\). Furthermore, for history \(\mathsf {hist}=\mathrm{{bin}}(N)_{\lceil \kappa /2 \rceil }\mathrm{{bin}}(N_{0})_{\lfloor \kappa /2 \rfloor }\), with \(8\kappa \le N \le 2^{\lceil \kappa /2 \rceil }\) and \(1/3 \le N_{0}/N \le 2/3\), and for any integer \(\ell \le \frac{N}{8 \kappa }\), the bitstrings \(\varvec{b}=b_1\ldots b_K\) of length \(K= \kappa \cdot \ell \le N/8\) obtained by the concatenation of \(\ell \) consecutive documents sampled from the channel with history \(\mathsf {hist}\), i.e. \(b_i \leftarrow \mathcal {C}^{*}_{\mathsf {hist}b_1 \ldots b_{i-1},n=\kappa }\), have distribution \(D^{*}_{(N,N_{0},K)}\).
A proof for the second statement of the lemma follows directly from the construction of the channel. Now, combining the first claim of the lemma with Theorem 3 we get the following corollary.
Corollary 5
If doubly enhanced trapdoor permutations exists, there is a stegosystem \(\mathsf {PKStS}_{\mathcal {C}^{*}}\) (without an access to the sample oracle) such that for all wardens \(\mathsf {W}\) there is a negligible function \(\mathsf {negl}\) such that \( \mathbf {Adv}^{{\mathrm{ss}{\text {-}}\mathrm{cca}}}_{\mathsf {W},\mathsf {PKStS}_{\mathcal {C}^{*}},\mathcal {C}^{*}}(\kappa )\le \mathsf {negl}(\kappa ).\)
Based upon this stegosystem \(\mathsf {PKStS}=\mathsf {PKStS}_{\mathcal {C}^{*}}\), we construct a public-key cryptosystem \(\mathsf {PKES}^{*}\), with ciphertexts of length \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {cl}(\kappa ) = \kappa \cdot \mathsf {PKStS}\,\!.\,\!\mathsf {cl}(\kappa )\) such that \(\mathsf {PKES}^{*}\) also has another algorithm, called \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Setup}\) that takes parameters: two integers N and \(N_{0}\) which satisfy \(8\cdot \mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {cl}(\kappa )\le N \le 2^{ \lfloor \kappa /2 \rfloor }\) and \(N_{0}/N \in [1/3,2/3]\). Calling \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Setup}(N,N_0)\) stores the values \(N,N_0\) such that \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Enc}\) and \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Dec}\) can use them.
-
The key generation \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Gen}\) simply equals the key generation algorithm \(\mathsf {PKStS}\,\!.\,\!\mathsf {Gen}\).
-
The encoding algorithm \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Enc}\) takes as parameters the public key \(\textit{pk}\) and a message m. It then simulates the encoder \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) on key \(\textit{pk}\), message m and history \(\mathsf {hist}=\text {bin}(N)_{\lceil \kappa /2 \rceil }\text {bin}(N_{0})_{\lfloor \kappa /2 \rfloor }\) and produces a bitstring of length \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {cl}(\kappa )=\mathsf {PKStS}\,\!.\,\!\mathsf {ol}(\kappa )\cdot \kappa \).
-
The decoder \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Dec}\) simply inverts this process by simulating the stegodecoder \(\mathsf {PKStS}\,\!.\,\!\mathsf {Dec}\) on key \(\textit{sk}\) and history \(\mathsf {hist}=\text {bin}(N)_{\lceil \kappa /2 \rceil }\text {bin}(N_{0})_{\lfloor \kappa /2 \rfloor }\).
Clearly, the ciphertexts of \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Enc}(\textit{pk},m)\) are indistinguishable from the distribution \(D^{*}_{(N,N_{0},\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {cl}(\kappa ))}\) by the second statement of Lemma 4. This generalization of Theorem 3 yields the following corollary:
Corollary 6
If doubly-enhanced trapdoor permutations exist, there is a secure public-key cryptosystem \(\mathsf {PKES}^{*}\), equipped with the algorithm \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Setup}\) that takes two parameters N and \(N_{0}\), such that its ciphertexts are indistinguishable from the probability distribution \(D^{*}_{(N,N_{0},\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {cl}(\kappa ))}\) whenever N and \(N_0\) satisfy that \(8\cdot \mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {cl}(\kappa )\le N \le 2^{ \lfloor \kappa /2 \rfloor }\) and \(N_{0}/N \in [1/3,2/3]\).
6 Ordering the Documents
As described before, to prevent replay attacks, we need to order the sampled documents. This is done via the algorithm \( \mathsf {generate}\) described in this section. To improve the readability, we will abbreviate some terms and define \(L=\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {cl}(\kappa )\) and \(n=\mathsf {PKStS}^{*}\!\,\!.\,\!\mathsf {dl}(\kappa )\), where \(\mathsf {PKES}^{*}\) is the public-key encryption scheme from the last section and \(\mathsf {PKStS}^{*}\) is our target stegosystem that we will provide later on. We also define \(N=8L\).
To order the set of documents \(D\subseteq \varSigma ^n\), we use the algorithm \( \mathsf {generate}\), presented below. It takes the set of documents D with \(|D|=N\), a hash function \(f:\varSigma ^n \rightarrow \{0,1\}\) from \(G_{\kappa }\), a bitstring \(b_1,\ldots ,b_{L}\), and two keys \(k_{ \mathsf {P}}, k'_{ \mathsf {P}}\) for PRPs. It then uses the PRPs to find the right order of the documents.
Note that the permutation \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {P}}}\) is a permutation upon the set \(\{0,1\}^{n}\) (i.e. on the documents themselves) and the canonical ordering of \(\{0,1\}^{n}\) thus implicitly gives us an ordering of the documents.
We note the following important property of \( \mathsf {generate}\) that shows where the urn model of the previous section comes into play. For uniform random permutations P and \(P'\), we denote by \( \mathsf {generate}(\cdots ,P,P')\) the run of \( \mathsf {generate}\), where the use of \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {P}}}\) is replaced by P and the use of \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k'_{ \mathsf {P}}}\) is replaced by \(P'\). If the bits \(\varvec{b}=b_{1},\ldots ,b_{L}\) are distributed according to \(D^{*}_{(N,|D_{0}|,L)}\), the resulting distribution on the documents then equals the channel distribution.
Lemma 7
Let \(\mathcal {C}\) be any memoryless channel, f be some hash function and D be a set of \(N=8L\) documents of \(\mathcal {C}\) such that \(N/3\le |D_{0}| \le 2N/3\), where \(D_{0}=\{d\in D\mid f(d)=0\}\). If the permutations \(P,P'\) are uniformly random and the bitstring \(\varvec{b}=b_{1},\ldots ,b_{L}\) is distributed according to \(D^{*}_{(N,|D_{0}|,L)}\), the output of \( \mathsf {generate}(D,f,\varvec{b},P,P')\) is a uniformly random permutation of D.
Proof
Fix any document set D of size \(N=8L\) and a function f that splits D into \(D_{0}\dot{\cup }D_{1}\), with \(|D_{0}| \ge N/3\) and \(|D_{1}|\ge N/3\). Let \(\varvec{\hat{d}}=\hat{d}_{1},\ldots ,\hat{d}_{N}\) be any permutation on D. We will prove that the probability (upon bits \(\varvec{b}\) and permutations P, \(P'\)) that \(\varvec{\hat{d}}\) is produced, is \(1{\slash }N!\) and thus establish the result. Let \(\varvec{d}=d_{1},\ldots ,d_{N}\) be the random variables that denote the outcome of \( \mathsf {generate}(D,f,b_{1},\ldots ,b_{L},P,P')\).
Note that if \(\varvec{d}[i]\) (resp. \(\varvec{\hat{d}}[i]\)) denotes the prefix of length i of \(\varvec{d}\) (resp. \(\varvec{\hat{d}}\)), then using the chain rule formula we get
To estimate each of the factors of the product, we consider two cases:
-
Case \(i\le L\): Let \(\varvec{\hat{b}}=\hat{b}_1,\ldots ,\hat{b}_L\) be the bitstring such that \(\hat{b}_i=f(\hat{d}_i)\) and let \(\varvec{\hat{b}}[i]\) be the prefix \(\hat{b}_1,\ldots ,\hat{b}_i\) of \(\varvec{\hat{b}}\) of length i. Clearly, for \(i\le L\) it holds that the event \(d_i=\hat{d}_{i}\) under the condition \(\varvec{d}[i-1]=\varvec{\hat{d}}[i-1]\) occurs iff (A) \(d_{i}\in D_{\hat{b}_{i}}\) and (B) \(d_{i}\) is put on position \(|\varvec{\hat{b}}[i]|_{\hat{b}_{i}}\) by the permutation P with respect to \(D_{\hat{b}_{i}}\). Due to the distribution of bit \(b_{i}\) in the random bits \(\varvec{b}\), the event \(d_{i}\in D_{\hat{b}_{i}}\) occurs with probability \((|D_{\hat{b}_{i}}|-|\varvec{\hat{b}}[i-1]|_{\hat{b}_{i}})/(N-i+1)\) (under the above condition). As \(\varvec{d}[i-1]=\varvec{\hat{d}}[i-1]\) holds, exactly \(|\varvec{\hat{b}}[i-1]|_{\hat{b}_{i}}\) documents from \(D_{\hat{b}_{i}}\) are already used in the output. As P is a uniform random permutation, the probability that \(d_{i}\) is put on position \(|\varvec{\hat{b}}[i]|_{\hat{b}_{i}}\) by the permutation P (with respect to \(D_{\hat{b}_{i}}\)) is thus \(1/(|D_{\hat{b}_{i}}|-|\varvec{\hat{b}}[i-1]|_{\hat{b}_{i}})\). Since (A) and (B) are independent, we conclude for \(i\le L\) that the probability \(\Pr _{\varvec{b},P,P'}[d_i=\hat{d}_i\mid \varvec{d}[i-1] = \varvec{\hat{d}}[i-1]]\) is equal to
-
Case \(i> L\): As the choice of \(P'\) is independent from the choice of P, the remaining 2L items are ordered completely random. Hence, for \(i > L\) we also have
$$\begin{aligned} \mathop {\Pr }\limits _{\varvec{b},P,P'}[d_{i}=\hat{d}_{i} \mid \varvec{d}[i-1]=\varvec{\hat{d}}[i-1]] \ = \ \frac{1}{N-i+1}. \end{aligned}$$
Putting it together, we get
As explained above, a second property that we need is that no attacker should be able to produce a “replay” of the output of \( \mathsf {generate}\). Below, we formalize this notion and analyze the security of the algorithm. An attacker \( \mathsf {A}\) on \( \mathsf {generate}\) is a PPTM, that receives nearly the same input as \( \mathsf {generate}\): a set D of N documents, a hash function \(f:\varSigma ^n \rightarrow \{0,1\}\) from the family \(G_{\kappa }\), a sequence \(b_{1},\ldots ,b_{L}\) of L bits, and a key \(k_{ \mathsf {H}}\) for the CRHF \( \mathsf {H}\). Then \( \mathsf {A}\) outputs a sequence \(d'_{1},\ldots ,d'_{N}\) of documents. We say that the algorithm \( \mathsf {A}\) is successful if
-
1.
\(f(d_{i})=f(d'_{i})\) for all \(i=1,\ldots ,N\),
-
2.
\(d'_{1},\ldots ,d'_{N}= \mathsf {generate}(D',f,b_{1},\ldots ,b_{L},k_{ \mathsf {P}},k'_{ \mathsf {P}})\), and
-
3.
\( \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {H}}}(\text {lex}(D'))= \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {H}}}(\text {lex}(D))\),
where \(D'\) denotes the set \(\{d'_{1},\ldots ,d'_{N}\}\) and, recall, \(\text {lex}(X)\) denotes the sequence of elements of set X in lexicographic order. We can then conclude the following lemma.
Lemma 8
(Informal). Let \(D\subseteq \varSigma ^n\) be a set of documents with \(|D|=N\), let \(b_{1},\ldots ,b_{L}\) be a bitstring, and \(f\in G_{\kappa }\). For every attacker \( \mathsf {A}\) on \( \mathsf {generate}\), there is a collision finder \(\mathsf {Fi}\) for the CRHF \( \mathsf {H}\) such that the probability that \( \mathsf {A}\) is successful on \(D,f,b_{1},\ldots ,b_{L},k_{ \mathsf {H}}\) is bounded by \( \mathbf {Adv}_{\mathsf {Fi}, \mathsf {H},\mathcal {C}}^\mathrm{{\text {hash}}}(\kappa )\).
The formal definition of “\( \mathsf {A}\) is successful” as well as a formal statement of the lemma can be found in Appendix A.
7 The Steganographic Protocol \(\mathsf {PKStS}^{*}\)
We now have all of the ingredients of our stegosystem, namely the CCA-secure cryptosystem \(\mathsf {PKES}^{*}\) from Sect. 5 and the ordering algorithm \( \mathsf {generate}\) from Sect. 6. To improve the readability, we will abbreviate some terms and define \(n=\mathsf {PKStS}^{*}\!\,\!.\,\!\mathsf {dl}(\kappa )\), \(\ell =\mathsf {PKStS}^{*}\!\,\!.\,\!\mathsf {ol}(\kappa )\), and \(L=\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {cl}(\kappa )\), where \(\mathsf {PKES}^{*}\) is the public-key encryption scheme from Sect. 5 and \(\mathsf {PKStS}^{*}\) is the stegosystem that we will define in this section. We also let \(N=8L\).
In the following, let \(\mathcal {C}\) be a memoryless channel, \( \mathsf {P}\) be a PRP relative to \(\mathcal {C}\), \( \mathsf {H}\) be a CRHF relative to \(\mathcal {C}\) and \(\mathcal {G}=\{G_{\kappa }\}_{\kappa \in \mathbb {N}}\) be a strongly 2-universal hash family. Remember, that \(\mathsf {PKES}^{*}\) has the algorithm \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Setup}\) that takes the additional parameters \(N,N_{0}\le 2^{\lceil \kappa /2 \rceil }\), such that if \(N \ge 8\cdot \mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {cl}(\kappa )\) and \(N_{0}/N \in [1/3,2/3]\) then the output of \(\mathsf {PKES}^{*}\!\!\,\!.\,\!\mathsf {Enc}(\textit{pk},m)\) is indistinguishable from \(D^{*}_{(N,N_{0},\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {cl}(\kappa ))}\) (see Sect. 5 for a discussion). Furthermore, we assume that \(\mathsf {PKES}^{*}\) has very sparse support, i.e. the ratio of valid ciphertexts compared to \(\{0,1\}^{\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {cl}(\kappa )}\) is negligible: If \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Enc}(\textit{pk},m)\) is called, we first use some public key encryption scheme \(\mathsf {PKES}\) with very sparse support to compute \(c\leftarrow \mathsf {PKES}\,\!.\,\!\mathsf {Enc}(\textit{pk},m)\) and then encrypt c via \(\mathsf {PKES}^{*}\). This construction is due to Lindell [29] and also maintains the indistinguishability of the output of \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Enc}\) and the distribution \(D^{*}\), as this properties hold for all fixed messages m. Now we are ready to provide our stegosystem named \(\mathsf {PKStS}^{*}\). Its main core is the ordering algorithm \( \mathsf {generate}\).
-
The key generating \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Gen}\) queries \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Gen}\) for a key-pair \((\textit{pk},\textit{sk})\) and chooses a hash-function \(f\twoheadleftarrow G_{\kappa }\). The public key of the stegosystem will be \(\textit{pk}^{*}=(\textit{pk},f)\) and the secret key will be \(\textit{sk}^{*}=(\textit{sk},f)\).
-
The encoding algorithm \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) presented below (as \(\mathcal {C}_n\) is memoryless we skip \(\mathsf {hist}\) in the description) works as described in Sect. 4: It chooses appropriate keys, samples documents D, computes a hash value of D, generates bitstring \(\varvec{b}\) via \(\mathsf {PKES}^{*}\), and finally orders the documents via \( \mathsf {generate}\).Footnote 5
-
To decode a sequence of documents \(d_1,\ldots ,d_{N}\), the stegodecoder \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}\) first computes the bit string \(b_1=f(d_1),\ldots ,b_{N}=f(d_{N})\) and computes the number \(N_{0}=|\{d_{i}:f(d_{i})=0\}|\). In case \(|\{ d_1,\ldots ,d_{N}\}|< N\) or \(N_{0}/N\not \in [1/3,2/3]\), the decoder \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}\) returns \(\bot \) and halts. Otherwise, using \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Dec}\) with \(\textit{sk}\) and parameters \(N, N_{0}\), it decrypts from the ciphertext \(b_1,b_2, \ldots , b_{L}\) the message m, the keys \(k_{ \mathsf {H}}, k_{ \mathsf {P}}, k'_{ \mathsf {P}}\) and the hash-value h. It then checks whether the hash-value h is correct and whether \(d_1,\ldots ,d_{N}= \mathsf {generate}(\{d_{1},\ldots ,d_{N}\},f,b_{1},\ldots ,b_{L},k_{ \mathsf {P}},k'_{ \mathsf {P}})\). Only if this is the case, the message m is returned. Otherwise, \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}\) decides that it can not decode the documents and returns \(\bot \).
Proofs of Reliability and Security. We will first concentrate on the reliability of the system \(\mathsf {PKStS}^{*}\) and prove that its unreliability is negligible. This is due to the fact, that the decoding always works and the encoding can only fail if a document was drawn more than once or if the sampled documents are very imbalanced with regard to f.
Theorem 9
The probability that a message is not correctly embedded by the encoder \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) is at most \(3N^{2}\cdot 2^{-H_{\infty }(\mathcal {C},\kappa )}+2\exp (-N/54)\).
If \(1<\lambda \le \log (\kappa )\) bits per document are embedded, this probability is bounded by \(2^{2\lambda }\cdot 3N^{2}\cdot 2^{-H_{\infty }(\mathcal {C},\kappa )}+2^{\lambda +1}\exp (-N/54)\), which is negligible in \(\kappa \) if \(H_{\infty }(\mathcal {C},\kappa )\) sufficiently large. Now, it only remains to prove that our construction is secure. The proof proceeds similar to the security proof of Hopper [21]. But instead of showing that no other encoding of a message exists, we prove that finding any other encoding of the message is infeasible via Lemma 8.
Theorem 10
Let \(\mathcal {C}\) be a memoryless channel, \( \mathsf {P}\) be a PRP relative to \(\mathcal {C}\), the algorithm \( \mathsf {H}\) be a CRHF relative to \(\mathcal {C}\), the cryptosystem \(\mathsf {PKES}^{*}\) be the cryptosystem designed in Sect. 5 with very sparse support relative to \(\mathcal {C}\), and \(\mathcal {G}\) be a strongly 2-universal hash family. The stegosystem \(\mathsf {PKStS}^{*}\) is SS-CCA-secure against every memoryless channel.
Proof (Proof sketch)
We prove that the above construction is secure via a hybrid argument. We thus define six distributions \(H_{1},\ldots ,H_{6}\) shown in Fig. 1.
We now proceed by proving that \(H_{i}\) and \(H_{i+1}\) are SS-CCA-indistinguishable (denoted by \(H_{i}\sim H_{i+1}\)). Informally, this means that we replace in SS-CCA-Dist the call to the stegosystem (if \(b=0\)) by \(H_i\) and the call to the channel (if \(b=1\)) by \(H_{i+1}\). Denote by \(\mathbf {Adv}^{(i)}_{\mathsf {W}}(\kappa )\) the advantage of a warden \(\mathsf {W}\) in this situation. Clearly, the SS-CCA-advantage of W is bounded as \(\mathbf {Adv}^{{\text {ss-cca}}}_{\mathsf {W},\mathsf {PKStS}^{*},\mathcal {C}}(\kappa )\le \mathbf {Adv}^{(1)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(2)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(3)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(4)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(5)}_{\mathsf {W}}(\kappa )\). This implies the theorem, as \(H_{1}\) simply describes the channel and \(H_{6}\) describes the stegosystem. Informally, we argue that:
-
1.
\(H_{1}\sim H_{2}\) because a uniform random permutation on a memoryless channel does not change any probabilities;
-
2.
\(H_{2}\sim H_{3}\) because our choice of \(b_{1},\ldots ,b_{L}\) and random permutations equal the channel by Lemma 7;
-
3.
\(H_{3}\sim H_{4}\) because \( \mathsf {P}\) is a PRP;
-
4.
\(H_{4}\sim H_{5}\) because \( \mathsf {P}\) is a PRP;
-
5.
\(H_{5}\sim H_{6}\) because \(\mathsf {PKES}^{*}\) is secure due to Corollary 6 and because of Lemma 8. \(\square \)
8 An Impossibility Result
We first describe an argument for truly random channels using an infeasible assumption and then proceed to modify those channels to get rid of this. All channels will be 0-memoryless and we thus write \(\mathcal {C}_{\eta ,\mathsf {dl}}\) instead of \(\mathcal {C}_{\mathsf {hist},\mathsf {dl}}\), if \(\mathsf {hist}\) contains \(\eta \) document.
The main idea of our construction lies on the unpredictability of random channels. If \(\mathcal {C}_{\eta }\) and \(\mathcal {C}_{\eta +1}\) are independent and sufficiently random, we can not deduce anything about \(\mathcal {C}_{\eta +1}\) before we have sampling access to it, which we only have after we sent the document of \(\mathcal {C}_{\eta }\) in the standard non-look-ahead model. To be reliable, there must be enough documents in \(\mathcal {C}_{\eta +1}\) continuing the already sent documents (call those documents suitable). To be SS-CCA-secure, the number of suitable documents in \(\mathcal {C}_{\eta +1}\) must be very small to prevent replay attacks like those in Sect. 3. By replacing the random channels with pseudorandom ones, we can thus prove that every stegosystem is either unreliable or SS-CCA-insecure on one of those channels. To improve the readability, fix some stegosystem \(\mathsf {PKStS}\) and let \(n=\mathsf {PKStS}\,\!.\,\!\mathsf {dl}(\kappa )\) and \(\ell =\mathsf {PKStS}\,\!.\,\!\mathsf {ol}(\kappa )\).
Lower Bound on Truly Random Channels. For \(n\in {\mathbb {N}}\), we denote by \({\mathcal {R}}_{n}\) all subsets R of \(\{0,1\}^{n}\) such that there is a negligible function \(\mathsf {negl}\) with
-
\(|R|\ge \mathsf {negl}(n)^{-1}\) and
-
\(|R|\le 2^{n/2}\).
This means each subset R has super-polynomial cardinality in n without being too large. For an infinite sequence \(\varvec{R}=R_{0},R_{1},\ldots \) with \(R_{i}\in \mathcal {R}_{n}\), we construct a channel \(\mathcal {C}(\varvec{R})\) where the distribution \(\mathcal {C}(\varvec{R})_{i,n}\) is the uniform distribution on \(R_{i}\). The family of all such channels is denoted by \(\mathcal {F}(\mathcal {R}_{n})\). We assume that a warden can test whether a document d belongs to the support of \(\mathcal {C}(\varvec{R})_{i,n}\) and denote this warden by \(\mathsf {W}_{\varvec{R}}\). In the next section, we replace the totally random channels by pseudorandom ones and will get rid of this infeasible assumption. For a stegosystem \(\mathsf {PKStS}\) – like the system \(\mathsf {PKStS}^{*}\) from the last section – we are now interested in two possible events that may occur during the run of \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) on a channel \(\mathcal {C}(\varvec{R})\). The first event, denoted by \(\mathcal {E}_{\text {Nq}}\) (for ), happens if \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) outputs a document it has not seen due to sampling. We are also interested in the case that \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) outputs something in the support of the channel, denoted by \(\mathcal {E}_{\text {InS}}\) for In Support. Clearly, upon random choice of \(\varvec{R}\), \(\eta \) (the length of the history), m and \(\textit{pk}\) we have
where \(\mathsf {PKStS}\,\!.\,\!\mathsf {query}(\kappa )\) denotes the number of queries performed by \(\mathsf {PKStS}\). This is negligible in \(\kappa \) as n, \(\mathsf {query}\) and \(\ell \) are polynomials in \(\kappa \). As warden \(\mathsf {W}_{\varvec{R}}\) can test whether a document belongs to the random sets, we have \(\mathbf {Adv}^{{\text {ss-cca}}}_{\mathsf {W}_{\varvec{R}},\mathsf {PKStS},\mathcal {C}(\varvec{R})}(\kappa )\ge \Pr [\overline{\mathcal {E}_{\text {InS}}}]\). Clearly, since we can assume \(\overline{\mathcal {E}_{\text {InS}}}\subseteq \mathcal {E}_{\text {Nq}}\) we thus obtain
Hence, if \(\mathsf {PKStS}\) is SS-CCA-secure, the term \(\Pr [\mathcal {E}_{\text {Nq}}]\) must be negligible.
If \(\mathsf {PKStS}\) is given a history of length \(\eta \) and it outputs documents \(d_{1},\ldots ,d_{\ell }\), we note that \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) only gets sampling access to \(\mathcal {C}(\varvec{R})_{\eta +\ell -1,n}\) after it sent \(d_{1},\ldots ,d_{\ell -1}\) in the standard non-look-ahead model. Clearly, due to the random choice of \(\varvec{R}\), the set \(R_{\eta +\ell }\) is independent of \(R_{\eta },R_{\eta +1},\ldots ,R_{\eta +\ell -1}\). The encoder \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) thus needs to decide on the documents \(d_{1},\ldots ,d_{\ell -1}\) without any knowledge of \(R_{\eta +\ell }\). As \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) draws a sample set D from \(\mathcal {C}(\varvec{R})_{\eta +\ell -1,n}\) with at most \(q=\mathsf {PKStS}\,\!.\,\!\mathsf {query}(\kappa )\) documents, we now look at the event \(\mathcal {E}_{\text {Nsui}}\) (for Not suitable) that none of the documents in D are suitable for the encoding, i.e. if the sequence \(d_{1},d_{2},\ldots ,d_{\ell -1},d\) is not a suitable encoding of the message m for all \(d\in D\). Denote the unreliability of the stegosystem by \(\rho \). Clearly, if \(\mathcal {E}_{\text {Nsui}}\) occurs, there are two possibilities for the stegosystem: It either outputs something from D and thus increases the unreliability or it outputs something it has not queried. We thus have \(\Pr [\mathcal {E}_{\text {Nsui}}] \ \le \ \max \{\rho , (1-\rho )\cdot \Pr [\mathcal {E}_{\text {Nq}}]\}\). Note that \(\rho \) must be negligible if \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) is reliable and, as discussed above, the term \(\Pr [\mathcal {E}_{\text {Nq}}]\) (and thus the term \((1-\rho )\cdot \Pr [\mathcal {E}_{\text {Nq}}]\)) must be negligible if \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) is SS-CCA-secure. Hence, if \(\mathsf {PKStS}\,\!.\,\!\mathsf {Enc}\) is SS-CCA-secure and reliable, the probability \(\Pr [\mathcal {E}_{\text {Nsui}}]\) must be negligible. The insight, that \(\Pr [\mathcal {E}_{\text {Nsui}}]\) must be negligible directly leads us to the construction of a warden \(\mathsf {W}_{\varvec{R}}\) on the channel \(\mathcal {C}(\varvec{R})\). The warden chooses a random history of length \(\eta \) and a random message m and sends those to its challenging oracle. It then receives the document sequence \(d_{1},\ldots ,d_{\ell }\). If \(d_{i}\not \in R_{\eta +i}\), the warden returns »Stego«. Else, it samples q documents D from \(\mathcal {C}(\varvec{R})_{\eta +\ell ,n}\) and tests for all \(d\in D\) via the decoding oracle \(\mathsf {PKStS}\,\!.\,\!\mathsf {Dec}_{\textit{sk}}\) if the sequence \(d_{1},d_{2},\ldots ,d_{\ell -1},d\) decodes to m. If we find such a d, return »Stego« and else return »Not Stego«. If the documents are randomly chosen from the channel, the probability to return »Stego« is at most \(q/|2^{\mathsf {PKStS}\,\!.\,\!\mathsf {ml}(\kappa )}|\), i.e. negligible. If the documents are chosen by the stegosystem, the probability of »Not Stego« is exactly \(\Pr [\mathcal {E}_{\text {Nsui}}]\). Hence, \(\mathsf {PKStS}\) must be either unreliable or SS-CCA-insecure on some channel in \(\mathcal {F}(\mathcal {R}_{n})\).
Lower Bound on Pseudorandom Channels. To give a proof, we will replace the random channels \(\mathcal {C}(\varvec{R})\) by pseudorandom ones. The construction assumes existence of a CCA$-secure cryptosystem \(\mathsf {PKES}\) with \(\mathsf {PKES}\,\!.\,\!\mathsf {cl}(\kappa )\ge 2\,\mathsf {PKES}\,\!.\,\!\mathsf {ml}(\kappa )\).
For \(\omega =(\textit{pk},\textit{sk})\in \text {supp}(\mathsf {PKES}\,\!.\,\!\mathsf {Gen}(1^{\kappa }))\), let \(\mathcal {C}(\omega )_{i,\mathsf {dl}(\kappa )}\) be the distribution \(\mathsf {PKES}\,\!.\,\!\mathsf {Enc}(\textit{pk},\text {bin}(i)_{\mathsf {dl}(\kappa )})\), where \(\text {bin}(i)_{\mathsf {dl}(\kappa )}\) is the binary representation of the number i of length exactly \(\mathsf {dl}(\kappa )\) modulo \(2^{\mathsf {dl}(\kappa )}\). The family of channels \(\varvec{\mathcal {C}}_{\mathsf {PKES}}=\{\mathcal {C}(\omega )\}_{\omega }\) thus has the following properties:
-
1.
There is a negligible function \(\mathsf {negl}\) such that for each \(\omega \) and each i, we have \(2^{\mathsf {PKES}\,\!.\,\!\mathsf {ml}(\kappa )/2}\ge |\mathcal {C}(\omega )_{i,\mathsf {dl}(\kappa )}|\ge \mathsf {negl}(\kappa )^{-1}\) if \(\mathsf {PKES}\) is CCA$-secure. This follows easily from the CCA$-security of \(\mathsf {PKES}\): If \(|\mathcal {C}(\omega )_{i,\mathsf {dl}(\kappa )}|\) would be polynomial, an attacker could simply store all corresponding ciphertexts.
-
2.
An algorithm with the knowledge of \(\omega \) can test in polynomial time, whether \(d\in \text {supp}(\mathcal {C}(\omega )_{i,\mathsf {dl}(\kappa )})\), i.e. whether d belongs to the support by simply testing whether \(\mathsf {PKES}\,\!.\,\!\mathsf {Dec}(\textit{sk},d)\) equals \(\text {bin}(i)_{\mathsf {dl}(\kappa )}\).
-
3.
Every algorithm \( \mathsf {Q}\) that tries to distinguish \(\mathcal {C}(\omega )\) from a random channel \(\mathcal {C}(\varvec{R})\) fails: For every polynomial algorithm \( \mathsf {Q}\), we have that the term
$$\begin{aligned} \bigl |&\mathop {\Pr }\limits _{\varvec{R}\twoheadleftarrow \varvec{\mathcal {R}}_{\mathsf {dl}(\kappa )}^{*}}[ \mathsf {Q}^{\mathcal {C}(\varvec{R})}(1^{\kappa })=1]- \mathop {\Pr }\limits _{\omega \leftarrow \mathsf {PKES}\,\!.\,\!\mathsf {Gen}(1^{\kappa })}[ \mathsf {Q}^{\mathcal {C}(\omega )}(1^{\kappa })=1]\bigl | \end{aligned}$$is negligible in \(\kappa \) if \(\mathsf {PKES}\) is CCA$-secure. This follows from the fact that no polynomial algorithm can distinguish \(\mathcal {C}(\varvec{R})\) upon random choice of \(\varvec{R}\) from the uniform distribution on \(\{0,1\}^{n}\), as \(|\mathcal {C}(\varvec{R})_{i,n}|\) is super-polynomial. Furthermore, an attacker \(\mathsf {A}\) on \(\mathsf {PKES}\) can simulate \( \mathsf {Q}\) for a successful attack.
Note that the third property directly implies that no polynomial algorithm can conclude anything about \(\mathcal {C}(\omega )_{i,\mathsf {dl}(\kappa )}\) from samples of previous distributions \(\mathcal {C}(\omega )_{0,\mathsf {dl}(\kappa )}, \ldots ,\mathcal {C}(\omega )_{i-1,\mathsf {dl}(\kappa )}\), except for a negligible term. The second property directly implies that we can get rid of the infeasible assumption of the previous section concerning the ability of the warden to test whether a document belongs to the support of \(\mathcal {C}(\omega )\): We simply equip the warden with the seed \(\omega \). Call the resulting warden \(\mathsf {W}_{\omega }\). Note that this results in a non-uniform warden. As above, we are interested in the events that a stegosystem outputs a document that it has not seen (\(\mathcal {E}_{\widehat{\text {Nq}}}\)), that a document is outputted which does not belong to the support (\(\mathcal {E}_{\widehat{\text {InS}}}\)) and the event that a random set of q documents is not suitable to complete a given document prefix \(d_{1},d_{2},\ldots ,d_{\ell -1}\) (\(\mathcal {E}_{\widehat{\text {Nsui}}}\)).
As \(\mathcal {E}_{\widehat{\text {InS}}}\) is a polynomially testable property (due to the second property of our construction), we can conclude a similar bound as above:
Lemma 11
Let \(\mathsf {PKStS}\) be an SS-CCA-secure universal stegosystem. For every warden \(\mathsf {W}\) and every CCA$-attacker \(\mathsf {A}\), \(\Pr [\mathcal {E}_{\widehat{\text {Nq}}}] \ \le \ \frac{\mathbf {Adv}^{\mathrm{{ss}{\text {-}}\mathrm {cca}}}_{\mathsf {W},\mathsf {PKStS},\mathcal {C}(\omega )}(\kappa )}{1-\ell \cdot 2^{-n/2}}+\mathbf {Adv}^\mathrm{{\text {pkes}}}_{\mathsf {A},\mathsf {PKES}}(\kappa )\).
Hence, if the stegosystem \(\mathsf {PKStS}\) is SS-CCA-secure and \(\mathsf {PKES}\) is CCA$-secure, the term \(\Pr [\mathcal {E}_{\widehat{\text {Nq}}}]\) must be negligible. As above, we can conclude that \(\Pr [\mathcal {E}_{\widehat{\text {Nsui}}}] \ \le \ \max \{\rho , (1-\rho )\cdot \Pr [\mathcal {E}_{\widehat{\text {Nq}}}]\}\) for unreliability \(\rho \). The warden \(\mathsf {W}_{\omega }\) similar to \(\mathsf {W}_{\varvec{R}}\) from the preceding section thus succeeds with very high probability. Hence, no SS-CCA-secure and reliable stegosystem can exist for the family \(\varvec{\mathcal {C}}_{\mathsf {PKES}}\):
Theorem 12
If doubly-enhanced trapdoor permutations exist, for every stegosystem \(\mathsf {PKStS}\) in the non-look-ahead model there is a 0-memoryless channel \(\mathcal {C}\) such that \(\mathsf {PKStS}\) is either unreliable or it is not SS-CCA-secure on \(\mathcal {C}\) against non-uniform wardens.
9 Discussion
The work of Dedić et al. [13] shows that provable secure universal steganography needs a huge number of sample documents to embed long secret messages as high bandwidth stegosystems are needed for such messages. This limitation also transfers to the public-key scenario. However, such a limitation does not necessarily restrict applicability of steganography, especially in case of specific communication channels or if the length of secret messages is sufficiently short.
A prominent recent example for such applications is the use of steganography for channels determined by cryptographic primitives, like symmetric encryption scheme (SESs) or digital signature schemes. Bellare, Paterson, and Rogaway introduced in [5] so called algorithm substitution attacks against SESs, where an attacker replaces an honest implementation of the encryption algorithm by a modified version which allows to extract the secret key from the ciphertexts produced by the corrupted implementation. Several follow-up works have been done based on this paper, such as those by Bellare et al. [4], Ateniese et al. [2], or Degabriele et al. [14]. These works strengthened the model proposed in [5] and presented new attacks against SESs or against other cryptographic primitives, e.g. against signature schemes. Surprisingly, as we show in [6], all such algorithm substitution attacks can be analyzed in the framework of computational secret-key steganography and in consequence, the attackers can be identified as stegosystems on certain channels determined by the primitives. In such scenarios, the secret message embedded by the stegosystem corresponds to a secret key of the cryptographic algorithm.
A similar approach was used by Pasquini et al. [35] to show that so called password decoy vaults used for example by Chatterjee et al. [10] and Golla et al. [19] can also be interpreted as steganographic protocols.
Notes
- 1.
We will drop the prefix \(\mathsf {PKStS}\) if the context is clear.
- 2.
The definition of a rcca$-secure cryptosystem is analogous to ss-rcca-security given in Sect. 2.
- 3.
We believe that one permutation suffices. But in order to improve the readability of the proof for security, we use two permutations in our stegosystem.
- 4.
See e.g. the work [18] of Goldreich and Rothblum.
- 5.
That the number of produced documents is always divisible by 8 does not hurt the security: The warden always gets the same number of documents, whether steganography is used or not.
References
Anderson, R.J., Petitcolas, F.A.P.: On the limits of steganography. IEEE J. Sel. Areas Commun. 16(4), 474–481 (1998)
Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Proceedings of the CCS, pp. 364–375. ACM (2015)
Backes, M., Cachin, C.: Public-key steganography with active attacks. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 210–226. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_12
Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: strongly undetectable algorithm-substitution attacks. In: Proceedings of the CCS 2015, pp. 1431–1440. ACM (2015)
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1
Berndt, S., Liśkiewicz, M.: Algorithm substitution attacks from a steganographic perspective. In: Proceedings of the CCS, pp. 1649–1660 (2017). https://doi.org/10.1145/3133956.3133981
Cachin, C.: An information-theoretic model for steganography. Inf. Comput. 192(1), 41–56 (2004)
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Chandran, N., Goyal, V., Ostrovsky, R., Sahai, A.: Covert multi-party computation. In: Proceedings of the FOCS, pp. 238–248. IEEE Computer Society (2007)
Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. In: Proceedings of the S&P, pp. 481–498 (2015). https://doi.org/10.1109/SP.2015.36
Cho, C., Dachman-Soled, D., Jarecki, S.: Efficient concurrent covert computation of string equality and set intersection. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 164–179. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_10
Craver, S.: On public-key steganography in the presence of an active warden. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 355–368. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49380-8_25
Dedić, N., Itkis, G., Reyzin, L., Russell, S.: Upper and lower bounds on black-box steganography. J. Cryptol. 22(3), 365–394 (2009)
Degabriele, J.P., Farshim, P., Poettering, B.: A more cautious approach to security against mass surveillance. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 579–598. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_28
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)
Fazio, N., Nicolosi, A.R., Perera, I.M.: Broadcast steganography. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 64–84. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_4
Goldreich, O., Rothblum, R.D.: Enhancements of trapdoor permutations. J. Cryptol. 26(3), 484–512 (2013)
Golla, M., Beuscher, B., Dürmuth, M.: On the security of cracking-resistant password vaults. In: Proceedings of the CCS, pp. 1230–1241 (2016). https://doi.org/10.1145/2976749.2978416
Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_5
Hopper, N.: On steganographic chosen covertext security. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 311–323. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_26
Hopper, N.J., Langford, J., von Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_6
Hopper, N.J., von Ahn, L., Langford, J.: Provably secure steganography. IEEE Trans. Comput. 58(5), 662–676 (2009)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)
Katzenbeisser, S., Petitcolas, F.A.P.: Defining security in steganographic systems. In: Proceedings of the Electronic Imaging, pp. 50–56. SPIE (2002)
Kiayias, A., Raekow, Y., Russell, A., Shashidhar, N.: A one-time stegosystem and applications to efficient covert communication. J. Cryptol. 27(1), 23–44 (2014)
Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosen-ciphertext security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 673–692. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_34
Van Le, T., Kurosawa, K.: Bandwidth optimal steganography secure against adaptive chosen stegotext attacks. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 297–313. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74124-4_20
Lindell, Y.: A simpler construction of CCA2-secure public-key encryption under general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 241–254. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_15
Liśkiewicz, M., Reischuk, R., Wölfel, U.: Grey-box steganography. Theoret. Comput. Sci. 505, 27–41 (2013)
Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, p. 447. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_34
Lysyanskaya, A., Meyerovich, M.: Provably secure steganography with imperfect sampling. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 123–139. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_9
Mitzenmacher, M., Upfal, E.: Probability and Computing - Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, Cambridge (2005)
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the STOC, pp. 33–43. ACM (1989)
Pasquini, C., Schöttle, P., Böhme, R.: Decoy password vaults: at least as hard as steganography? In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 356–370. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_24
Ryabko, B., Ryabko, D.: Constructing perfect steganographic systems. Inf. Comput. 209(9), 1223–1230 (2011)
Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054137
von Ahn, L., Hopper, N.J.: Public key steganography. IACR Cryptology ePrint Archive, 2003/233 (2003)
von Ahn, L., Hopper, N.J.: Public-key steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_20
Wang, Y., Moulin, P.: Perfectly secure steganography: capacity, error exponents, and code constructions. IEEE Trans. Inf. Theory 54(6), 2706–2722 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Remaining Proofs
A Remaining Proofs
To improve the readability, we will abbreviate some terms and define \(n=\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {dl}(\kappa )\), \(\ell =\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {ol}(\kappa )\) and \(L=\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {cl}(\kappa )\), where \(\mathsf {PKStS}^{*}\) is our stegosystem constructed in Sect. 7 and \(\mathsf {PKES}^{*}\) is the public-key cryptosystem constructed in Sect. 5. We also define \(N=8L\).
1.1 A.1 Formal Statement of Lemma 8 and its Proof
We start with a formal definition for “\( \mathsf {A}\) is successful on \(D,f,b_{1},\ldots ,b_{L},k_{ \mathsf {H}}\)”.
Definition 13
An attacker \( \mathsf {A}\) on \( \mathsf {generate}\) is a PPTM, that receives the following input:
-
a sequence \(d_{1},\ldots ,d_{N}\) of N pairwise different documents
-
a hash function \(f:\varSigma ^n \rightarrow \{0,1\}\) from the family \(\mathcal {G}=\{G_{\kappa }\}_{\kappa \in {\mathbb {N}}}\),
-
a sequence \(b_{1},\ldots ,b_{L}\) of L bits, and
-
a hash-key \(k_{ \mathsf {H}}\) for \( \mathsf {H}\).
The attacker \( \mathsf {A}\) then outputs a sequence \(d'_{1},\ldots ,d'_{N}\) of documents. Note that the attacker knows the mapping function f and even the hash-key \(k_{H}\) for \( \mathsf {H}\).
We say that \( \mathsf {A}\) is successful if the experiment \(\text {Sgen}( \mathsf {A},D,f,b_{1},\ldots ,b_{L})\) returns value 1:
We are now ready to give the formal version of Lemma 8:
Lemma
(formal version of Lemma 8). Let \(D\subseteq \varSigma ^n\) be a set of documents, with \(|D|=N\), let \(b_{1},\ldots ,b_{L}\) be a bitstring, and \(f\in G_{\kappa }\). For every attacker \( \mathsf {A}\) on \( \mathsf {generate}\), there is a collision finder \(\mathsf {Fi}\) for the CRHF \( \mathsf {H}\) such that
where the probability is taken over the random choices made in experiment \(\text {Sgen}\).
Proof
Let \( \mathsf {A}\) be an attacker on \( \mathsf {generate}\) with maximal success probability. Let \(D=D_{0}\dot{\cup } D_{1}\) be the input to \( \mathsf {generate}\), the sequence \(d_{1},\ldots ,d_{N}\) its output and \(d'_{1},\ldots ,d'_{N}\) be the output of \( \mathsf {A}\). Furthermore, let \(D'_{b}=\{d'_{j}\mid f(d'_{j})=b\}\) and \(D'=D'_{0}\cup D'_{1}\). We now distinguish three cases of the relation between D and \(D'\). If \(D'\subsetneq D\), the sequence \(d'_{1},\ldots ,d'_{N}\) must contain the same element on at least two positions, but \( \mathsf {generate}\) does only accept sets of size exactly N. Hence, \( \mathsf {A}\) was not successful in this case. If \(D'=D\) and \( \mathsf {A}\) was successful, it holds that \(d'_{1},\ldots ,d'_{N}\ne d_{1},\ldots ,d_{N}\). Hence, there must be positions \(i < j\) and \(j' < i'\) such that \(d_{i}=d_{i'}\) and \(d_{j}=d_{j'}\). As \(k_{ \mathsf {P}}\) and \(k'_{ \mathsf {P}}\) define a total order, the sequence \(d'_{1},\ldots ,d'_{N}\) could not be produced by \( \mathsf {generate}\). Thus, \( \mathsf {A}\) can not be successful in this case.
The only remaining case is \(D'\setminus D\ne \emptyset \). If \( \mathsf {A}\) was successful, it holds that , i.e. this is a collision with regard to \( \mathsf {H}\). We will now construct a finder \(\mathsf {Fi}\) for , such that . The finder \(\mathsf {Fi}\) receives a hash key . It then chooses \(f\twoheadleftarrow G_{\kappa }\), samples D documents of cardinality \(|D|=N\) via rejection sampling and PRP-keys \(k_{ \mathsf {P}},k'_{ \mathsf {P}}\). The finder simulates \( \mathsf {A}\) and receives
Then, it returns D and \(D'=\{d'_{1},\ldots ,d'_{N}\}\). Whenever \( \mathsf {A}\) succeeds, we have \(D\ne D'\) by the discussion above and thus also . Hence, \(\mathsf {Fi}\) has successfully found a collision. This implies that . \(\square \)
1.2 A.2 Proof of Theorem 9
Recall the statement of the theorem:
Theorem
(Theorem 9). The probability that a message is not correctly embedded by \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) is at most \(3N^{2}\cdot 2^{-H_{\infty }(\mathcal {C},\kappa )}+2\exp (-N/54)\).
Proof
Note that \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) may not correctly embed a message m if (a) \(|D_{0}\cup D_{1}|< N\) i.e. a document sampled in line 3 was drawn twice, or (b) \(N_{0}/N\not \in [1/3,2/3]\) i.e. the bias is too large, or (c) the number of elements of \(D_{0}\) or \(D_{1}\) is too small to embed \(b_1,b_2,\ldots ,b_{L}\) by \( \mathsf {generate}\). The probability of (a) can be bounded similar to the birthday attack. It is roughly bounded by \(3N^{2}\cdot 2^{-H_{\infty }(\mathcal {C},\kappa )}\) as the probability of every document is bounded by \(2^{-H_{\infty }(\mathcal {C},\kappa )}\).
A simple calculation shows that the probability of (b) and (c) is negligible. Note that the algorithm always correctly embeds a message, if \(|D_{0}|\ge L\) and \(|D_{1}|\ge L\). As \(N_{0}/N=|D_{0}|/N\), this implies that \(N_{0}/N\in [1/3,2/3]\). We will thus estimate the probability for this. As f is drawn from a strongly 2-universal hash family, we note that the probability that a random document d is mapped to 1 is equal to 1/2. For \(i=1,\ldots ,N\), let \(X_{i}\) be the indicator variable such that \(X_{i}\) equals 1 if the i-th element drawn from the channel maps to 1. The random variable \(X=\sum _{i=1}^{N}X_{i}\) thus has the size of \(D_{1}\). Clearly, its expected value is \(N \slash 2\). The probability that \(|X-N/2| > L\) (and thus \(|D_{1}| < L\) or \(|D_{0}| < L\)) is hence bounded by
using a Chernoff-like bound. The probability that the message m is incorrectly embedded is thus bounded by \(2^{-H_{\infty }(\mathcal {C},\kappa )}+2\exp (-N/54)\). \(\square \)
1.3 A.3 Proof of Theorem 10
We recall:
Theorem
(Theorem 10). Let \(\mathcal {C}\) be a memoryless channel, \( \mathsf {P}\) be a PRP relative to \(\mathcal {C}\), the algorithm \( \mathsf {H}\) be a CRHF relative to \(\mathcal {C}\), the cryptosystem \(\mathsf {PKES}^{*}\) be the cryptosystem designed in Sect. 5 with very sparse support relative to \(\mathcal {C}\), and \(\mathcal {G}\) be a strongly 2-universal hash family. The stegosystem \(\mathsf {PKStS}^{*}\) is SS-CCA-secure against every memoryless channel.
Proof
We prove that the above construction is secure via a hybrid argument. We thus define six distributions \(H_{1},\ldots ,H_{6}\) shown in Fig. 1.
If P and Q are two probability distributions, denote by \(\mathsf{SS}\text {-}\mathsf{CCA}\text {-}\mathsf{Dist}_{P,Q}\) the modification of the game \(\mathsf{SS}\text {-}\mathsf{CCA}\text {-}\mathsf{Dist}\), where the call to the stegosystem (if \(b=0\)) is replaced by a call to P and the call to the channel (if \(b=1\)) is replaced by a call to Q. If \(\mathsf {W}\) is some warden, denote by \(\mathbf {Adv}^{{\text {ss-cca}}}_{\mathsf {W},P,Q}(\kappa )\) the winning probability of \(\mathsf {W}\) in \(\mathsf{SS}\text {-}\mathsf{CCA}\text {-}\mathsf{Dist}_{P,Q}\). If \(\mathbf {Adv}^{{\text {ss-cca}}}_{\mathsf {W},P,Q}(\kappa )\le \mathsf {negl}(\kappa )\) for a negligible function \(\mathsf {negl}\), we denote this situation as \(P\sim Q\) and say that P and Q are indistinguishable with respect to \(\mathsf{SS}\text {-}\mathsf{CCA}\text {-}\mathsf{Dist}\). Furthermore, we define \(\mathbf {Adv}^{(i)}_{\mathsf {W}}(\kappa )=\mathbf {Adv}^{{\text {ss-cca}}}_{\mathsf {W},H_i,H_{i+1}}(\kappa )\). As the term \(\mathbf {Adv}^{(i)}_{\mathsf {W}}(\kappa )\) can also be written as
the triangle inequality implies that \(\mathbf {Adv}^{{\text {ss-cca}}}_{\mathsf {W},\mathsf {PKStS}^{*},\mathcal {C}}(\kappa )\le \mathbf {Adv}^{(1)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(2)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(3)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(4)}_{\mathsf {W}}(\kappa )+\mathbf {Adv}^{(5)}_{\mathsf {W}}(\kappa )\).
Informally, we argue that:
-
1.
\(H_1=H_2\implies H_{1}\sim H_{2}\) because a uniform random permutation on a memoryless channel does not change any probabilities;
-
2.
\(H_2=H_3\implies H_{2}\sim H_{3}\) because our choice of \(b_{1},\ldots ,b_{L}\) and random permutations equal the channel by Lemma 7;
-
3.
\(H_{3}\sim H_{4}\) because \( \mathsf {P}\) is a PRP;
-
4.
\(H_{4}\sim H_{5}\) because \( \mathsf {P}\) is a PRP;
-
5.
\(H_{5}\sim H_{6}\) \(\mathsf {PKES}^{*}\) is secure due to Corollary 6 and because of Lemma 8.
Distribution \(H_1\) can be specified as follows:
- Indistinguishability of \(H_1\) and:
-
If \(|D_{0}\cup D_{1}|< N\), i.e. a document was sampled twice or \(|D_{0}|/|D| \not \in [1/3,2/3]\), the system only outputs the sampled documents. Hence \(H_{1}\) equals \(H_{2}\) in this case. In the other case, we first permute the items before we output them. But, as P is a uniform random permutation and the documents are drawn independently from a memoryless channel, we have
As \(\textit{pk}\) is not used in these hybrids, \(H_{1}=H_{2}\) follows.
- Indistinguishability of \(H_2\) and:
-
If \(|D_{0}\cup D_{1}|< N\), i.e. a document was sampled twice or \(|D_{0}|/|D| \not \in [1/3,2/3]\), the system only outputs the sampled documents. Hence \(H_{2}\) equals \(H_{3}\) in this case. If \(|D_{0}\cup D_{1}|=N\), Lemma 7 shows that \(H_{2}\) equals \(H_{3}\).
- Indistinguishability of \(H_3\) and:
-
We will construct a distinguisher \(\mathsf {Dist}\) on the PRP \( \mathsf {P}\) with \(\mathbf {Adv}^\mathrm{{\text {prp}}}_{\mathsf {Dist}, \mathsf {P},\mathcal {C}}(\kappa )=\mathbf {Adv}^{(3)}_{\mathsf {W}}(\kappa )\). Note that such a distinguisher has access to an oracle that either corresponds to a truly random permutation or to \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k}\) for a key \(k\leftarrow \mathsf {P}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\).
The PRP-distinguisher \(\mathsf {Dist}\) simulates the run of \(\mathsf {W}\). It first chooses a key-pair \((\textit{pk},\textit{sk})\leftarrow \mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\). It then simulates \(\mathsf {W}\). Whenever the warden \(\mathsf {W}\) makes a call to its decoding-oracle \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}\), it computes \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}(\textit{sk},\cdot )\) (or \(\bot \) if necessary). In order to generate the challenge sequence \(\hat{d}\) upon the message m, it simulates the run of \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) and replaces every call to P or \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {P}}}\) by a call to its oracle. Similarly, the bits output by \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Enc}(\textit{pk},m)\) are ignored and replaced by truly random bits distributed according to \(D^{*}_{(N,|D_{0}|,L)}\). If the oracle is a truly random permutation, the simulation yields exactly \(H_{3}\) and if the oracle equals \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k}\) for a certain key k, the simulation yields \(H_{4}\). The advantage of \(\mathsf {Dist}\) is thus exactly \(\mathbf {Adv}^{(3)}_{\mathsf {W}}(\kappa )\). As \( \mathsf {P}\) is a secure PRP, this advantage is negligible and \(H_{3}\) and \(H_{4}\) are thus indistinguishable.
- Indistinguishability of \(H_4\) and:
-
We will construct a distinguisher \(\mathsf {Dist}\) on the PRP \( \mathsf {P}\) with \(\mathbf {Adv}^\mathrm{{\text {prp}}}_{\mathsf {Dist}, \mathsf {P},\mathcal {C}}(\kappa )=\mathbf {Adv}^{(4)}_{\mathsf {W}}(\kappa )\). Note that such a distinguisher has access to an oracle that either corresponds to a truly random permutation or to \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k}\) for a key \(k\leftarrow \mathsf {P}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\).
The PRP-distinguisher \(\mathsf {Dist}\) simulates the run of \(\mathsf {W}\). It first chooses a key-pair \((\textit{pk},\textit{sk})\leftarrow \mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\) and a key \(k_{ \mathsf {P}}\leftarrow \mathsf {P}\,\!.\,\!\mathsf {Gen}(1^{\kappa })\) for the PRP \( \mathsf {P}\). It then simulates \(\mathsf {W}\). Whenever the warden \(\mathsf {W}\) makes a call to its decoding-oracle \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}\), it computes \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}(\textit{sk},\cdot )\) (or \(\bot \) if necessary). In order to generate the challenge sequence \(\hat{d}\) upon the message m, it simulates the run of \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) and replaces every call to \(P'\) or \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {P}}}\) by a call to its oracle. Similarly, the bits output by \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Enc}(\textit{pk},m)\) are ignored and replaced by truly random bits distributed according to \(D^{*}_{(N,|D_{0}|,L)}\). If the oracle is a truly random permutation, the simulation yields exactly \(H_{4}\) and if the oracle equals \( \mathsf {P}\,\!.\,\!\mathsf {Eval}_{k}\) for a certain key k, the simulation yields \(H_{5}\). The advantage of \(\mathsf {Dist}\) is thus exactly \(\mathbf {Adv}^{(4)}_{\mathsf {W}}(\kappa )\). As \( \mathsf {P}\) is a secure PRP, this advantage is negligible and \(H_{4}\) and \(H_{5}\) are thus indistinguishable.
- Indistinguishability of \(H_5\) and:
-
We construct an attacker \(\mathsf {A}\) on \(\mathsf {PKES}^{*}\) such that there is a negligible function \(\mathsf {negl}\) with \(\mathbf {Adv}^\mathrm{{cca}}_{\mathsf {A},\mathsf {PKES}^{*},\mathcal {C}}(\kappa )+\mathsf {negl}(\kappa ) \ge \mathbf {Adv}^{(5)}_{\mathsf {W}}(\kappa )\). Note that such an attacker \(\mathsf {A}\) has access to the decryption-oracle \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Dec}_{\textit{sk}}(\cdot )\).
The attacker \(\mathsf {A}\) simply simulates \(\mathsf {W}\). First, it chooses \(f\twoheadleftarrow G_{\kappa }\). Whenever \(\mathsf {W}\) uses its decryption-oracle to decrypt \(d_{1},\ldots ,d_{N}\), the attacker \(\mathsf {A}\) simulates \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Dec}(d_{1},\ldots ,d_{N})\) and uses its own decryption-oracle \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Dec}_{\textit{sk}}(\cdot )\) in this. When \(\mathsf {W}\) outputs the challenge m, the attacker \(\mathsf {A}\) chooses all of the parameters \(D_{0},D_{1},k_{ \mathsf {H}},k_{ \mathsf {P}},k'_{ \mathsf {P}}\) as in \(\mathsf {PKStS}^{*}\,\!.\,\!\mathsf {Enc}\) and chooses its own challenge \(\widetilde{m} := m \mid \mid k_{ \mathsf {H}}\mid \mid k_{ \mathsf {P}}\mid \mid k'_{ \mathsf {P}}\mid \mid h\), where \(h= \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {H}}}(D_{0}\cup D_{1})\).
The attacker now either receives \(\varvec{b}\leftarrow \mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Enc}(\textit{pk},\widetilde{m})\) or L random bits \(\varvec{b}\) from \(D^{*}_{(N,|D_{0}|,L)}\) and computes
$$\begin{aligned} d_{1},\ldots ,d_{N}= \mathsf {generate}(D_{0} \cup D_{1},f,b_{1},\ldots ,b_{L},k_{ \mathsf {P}},k'_{ \mathsf {P}}). \end{aligned}$$If the bits correspond to \(\mathsf {PKES}^{*}\!\,\!.\,\!\mathsf {Enc}(\textit{pk},\widetilde{m})\), this simulates the stegosystem and thus \(H_{6}\) perfectly. If the bits are random, this equals \(H_{5}\).
After the challenge is determined, \(\mathsf {A}\) continues to simulate \(\mathsf {W}\). Whenever \(\mathsf {W}\) uses its decryption-oracle to decrypt \(d_{1},\ldots ,d_{N}\), it behaves as above. There is now a significant difference to the pre-challenge situation: The attacker \(\mathsf {A}\) is not allowed to decrypt the bits \(\varvec{b}=b_{1},\ldots ,b_{L}\). Hence, when \(\mathsf {W}\) tries to decrypt documents \(d_{1},\ldots ,d_{N}\) such that \(f(d_{i})=b_{i}\), it has no way to use its decryption-oracle and must simply return \(\bot \). Suppose that this situation arises. Note that the decryption-oracle of \(\mathsf {W}\) would only return a message not equal to \(\bot \) then iff \(d_{1},\ldots ,d_{N}= \mathsf {generate}(D_{0} \cup D_{1},f,\varvec{b},k_{ \mathsf {P}},k'_{ \mathsf {P}})\) and \( \mathsf {H}\,\!.\,\!\mathsf {Eval}_{k_{ \mathsf {H}}}(\{d_{1},\ldots ,d_{N}\})=h\).
If \(\varvec{b}\) is a truly random string from \(D^{*}_{(N,|D_{0}|,L)}\), the sparsity of \(\mathsf {PKES}^{*}\) implies that the probability that \(\varvec{b}\) is a valid encoding is negligible. Hence the probability that the decryption-oracle of \(\mathsf {W}\) would return a message not equal to \( \bot \) is negligible. It only remains to prove that the probability that the decryption-oracle of \(\mathsf {W}\) returns a message not equal to \(\bot \) is negligible if \(\varvec{b}\) is a valid encryption of a message. But Lemma 8 states just that. We thus have \(\mathbf {Adv}^\mathrm{{cca}}_{\mathsf {A},\mathsf {PKES}^{*},\mathcal {C}}(\kappa )+\mathsf {negl}(\kappa ) \ge \mathbf {Adv}^{(5)}_{\mathsf {W}}(\kappa )\). As the system \(\mathsf {PKES}^{*}\) is CCA-secure by Corollary 6, this advantage is negligible. Hence, \(H_{5}\) and \(H_{6}\) are indistinguishable.
Hence, the stegosystem \(\mathsf {PKStS}^{*}\) is SS-CCA-secure on \(\mathcal {C}\). \(\square \)
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Berndt, S., Liśkiewicz, M. (2018). On the Gold Standard for Security of Universal Steganography. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018. EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10820. Springer, Cham. https://doi.org/10.1007/978-3-319-78381-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-78381-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78380-2
Online ISBN: 978-3-319-78381-9
eBook Packages: Computer ScienceComputer Science (R0)