on the gold standard for security of universal
play

On the Gold Standard for Security of Universal Steganography - PowerPoint PPT Presentation

On the Gold Standard for Security of Universal Steganography Sebastian Berndt and Maciej Likiewicz Institute of Theoretical Computer Science, Universitt zu Lbeck EUROCRYPT, 2018 Steganography / Subliminal Communication Modern


  1. On the Gold Standard for Security of Universal Steganography Sebastian Berndt and Maciej Liśkiewicz Institute of Theoretical Computer Science, Universität zu Lübeck EUROCRYPT, 2018

  2. Steganography / Subliminal Communication Modern steganography: popular due to the prisoners’ problem by Simmons (1984) Many steganographic software exist An information-theoretic model: Cachin (1998) The computational model secret-key steganography: Hopper, Langford, and von Ahn (2002), and Katzenbeisser and Petitcolas (2002) (Universal / generic) secure secret-key steganography exists Secure public-key steganography – many problem open On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 2 / 14

  3. Steganography / Subliminal Communication Modern steganography: popular due to the prisoners’ problem by Simmons (1984) Many steganographic software exist An information-theoretic model: Cachin (1998) The computational model secret-key steganography: Hopper, Langford, and von Ahn (2002), and Katzenbeisser and Petitcolas (2002) (Universal / generic) secure secret-key steganography exists Secure public-key steganography – many problem open On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 2 / 14

  4. Steganography d from channel C Alice Bob d m m Encoder Decoder Warden Steganography in d ? On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

  5. Steganography d from channel C Alice Bob d m m Encoder Decoder Warden Steganography in d ? On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

  6. Steganography d from channel C Alice Bob d m m Encoder Decoder Warden Steganography in d ? On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

  7. Steganography d from channel C Alice Bob d m m Encoder Decoder Warden Steganography in d ? On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 3 / 14

  8. Public-Key Steganography Security Channels Applicability von Ahn and Hopper 2003 passive universal possible Backes and Cachin 2005 RCCA universal possible Hopper 2005 CCA single constr. channel possible Hopper 2005: Does universal CCA-secure public-key steganograps exist? On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 4 / 14

  9. Public-Key Steganography Security Channels Applicability von Ahn and Hopper 2003 passive universal possible Backes and Cachin 2005 RCCA universal possible Hopper 2005 CCA single constr. channel possible This work CCA all memoryless channels possible This work CCA universal impossible On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 4 / 14

  10. Public-Key Steganography Channel and Stegosystem A channel C : a function, that maps every history hist – a sequence of previously seen documents – to a probability distribution on documents A stegosystem S = ( S . Gen , S . Enc , S . Dec ) on a channel C : ( pk, sk ) ← S . Gen ( κ ) The stegoencoder generates d 1 , . . . , d l ← S . Enc C ( pk, m, hist ) having an access to the sampling oracle C with history hist The stegodecoder : m ′ ← S . Dec ( sk, d 1 . . . , d l ) S is reliable if w.h.p. S . Dec ( sk, S . Enc C ( pk, m, hist , m )) = m On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 5 / 14

  11. Public-Key Steganography Channel and Stegosystem A channel C : a function, that maps every history hist – a sequence of previously seen documents – to a probability distribution on documents A stegosystem S = ( S . Gen , S . Enc , S . Dec ) on a channel C : ( pk, sk ) ← S . Gen ( κ ) The stegoencoder generates d 1 , . . . , d l ← S . Enc C ( pk, m, hist ) having an access to the sampling oracle C with history hist The stegodecoder : m ′ ← S . Dec ( sk, d 1 . . . , d l ) S is reliable if w.h.p. S . Dec ( sk, S . Enc C ( pk, m, hist , m )) = m On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 5 / 14

  12. Public-Key Steganography Channel and Stegosystem A channel C : a function, that maps every history hist – a sequence of previously seen documents – to a probability distribution on documents A stegosystem S = ( S . Gen , S . Enc , S . Dec ) on a channel C : ( pk, sk ) ← S . Gen ( κ ) The stegoencoder generates d 1 , . . . , d l ← S . Enc C ( pk, m, hist ) having an access to the sampling oracle C with history hist The stegodecoder : m ′ ← S . Dec ( sk, d 1 . . . , d l ) S is reliable if w.h.p. S . Dec ( sk, S . Enc C ( pk, m, hist , m )) = m On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 5 / 14

  13. Public-Key Steganography Chosen-Covertext Attack channel C m Encoder Decoder d 1 , d 2 , . . . d m 1 , m 2 , . . . Warden Steganography in d ? Chosen-Covertext Attack ( CCA ) : as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack ( RCCA ) : No Replays d i is a replay to d if Dec ( d i ) = Dec ( d ) On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

  14. Public-Key Steganography Chosen-Covertext Attack channel C m Encoder Decoder d 1 , d 2 , . . . d m 1 , m 2 , . . . Warden Steganography in d ? Chosen-Covertext Attack ( CCA ) : as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack ( RCCA ) : No Replays d i is a replay to d if Dec ( d i ) = Dec ( d ) On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

  15. Public-Key Steganography Chosen-Covertext Attack channel C m Encoder Decoder d 1 , d 2 , . . . d m 1 , m 2 , . . . Warden Steganography in d ? Chosen-Covertext Attack ( CCA ) : as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack ( RCCA ) : No Replays d i is a replay to d if Dec ( d i ) = Dec ( d ) On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

  16. Public-Key Steganography Chosen-Covertext Attack channel C m Encoder Decoder d 1 , d 2 , . . . d m 1 , m 2 , . . . Warden Steganography in d ? Chosen-Covertext Attack ( CCA ) : as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack ( RCCA ) : No Replays d i is a replay to d if Dec ( d i ) = Dec ( d ) On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

  17. Public-Key Steganography Chosen-Covertext Attack channel C m Encoder Decoder d 1 , d 2 , . . . d m 1 , m 2 , . . . Warden Steganography in d ? Chosen-Covertext Attack ( CCA ) : as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack ( RCCA ) : No Replays d i is a replay to d if Dec ( d i ) = Dec ( d ) On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

  18. Public-Key Steganography Chosen-Covertext Attack channel C m Encoder Decoder d 1 , d 2 , . . . d m 1 , m 2 , . . . Warden Steganography in d ? Chosen-Covertext Attack ( CCA ) : as Chosen-Ciphertext Attack Replayable-Chosen-Covertext Attack ( RCCA ) : No Replays d i is a replay to d if Dec ( d i ) = Dec ( d ) On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 6 / 14

  19. Public-Key Steganography CCA- Security CCA-security game: CCA ( Ward , S , C , κ ) 1: ( pk, sk ) ← S . Gen ( 1 κ ) 2: ( m ∗ , hist ∗ ) ← Ward . Find Dec sk ( pk ) 3: b ← { 0 , 1 } 4: if b = 0 then d ∗ ← S . Enc C ( pk, m ∗ , hist ∗ ) 5: 6: else d ∗ ← C l 7: hist ∗ 8: b ′ ← Ward . Guess Dec sk,d ∗ ( pk, m ∗ , hist ∗ , d ∗ ) 9: return b = b ′ S is called CCA-secure against C if for every Ward the advantage | Pr [ CCA ( Ward , S , C , κ ) = true ] − 1 / 2 | ≤ negl On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 7 / 14

  20. Public-Key Steganography CCA- Security CCA-security game: CCA ( Ward , S , C , κ ) 1: ( pk, sk ) ← S . Gen ( 1 κ ) 2: ( m ∗ , hist ∗ ) ← Ward . Find Dec sk ( pk ) 3: b ← { 0 , 1 } 4: if b = 0 then d ∗ ← S . Enc C ( pk, m ∗ , hist ∗ ) 5: 6: else d ∗ ← C l 7: hist ∗ 8: b ′ ← Ward . Guess Dec sk,d ∗ ( pk, m ∗ , hist ∗ , d ∗ ) 9: return b = b ′ S is called CCA-secure against C if for every Ward the advantage | Pr [ CCA ( Ward , S , C , κ ) = true ] − 1 / 2 | ≤ negl On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 7 / 14

  21. CCA-secure stegosystem for memoryless channels UDP network packets: in arbitrary order ( memoryless ) Formally, we say that a channel C is memoryless , if C hist = C hist ′ for all hist , hist ′ , i. e. if the history has no effect on the channel distribution. Theorem ∃ S ∀C ∈ Memoryless : S is CCA-secure over C . Prevent document replacement with hash-value Prevent reordering of documents with PRP Embed: message + hash-value + PRP-key in a sequence of documents d 1 , . . . , d N Problem: d 1 , . . . , d N should not deviate from random permutation On the Gold Standard for Security of Universal Steganography EUROCRYPT, 2018 8 / 14

Recommend


More recommend