STEGOSYSTEMS BASED ON NOISY CHANNELS

Size: px

Start display at page:

Download "STEGOSYSTEMS BASED ON NOISY CHANNELS"

Amberlynn Burns
5 years ago
Views:

1 International Journal of Computer Science and Applications c Technomathematics Research Foundation Vol. 8 No. 1, pp. 1-13, 011 STEGOSYSTEMS BASED ON NOISY CHANNELS VALERY KORZHIK State University of Telecommunications, St. Petersburg, Russia val-korzhik@yandex.ru GUILLERMO MORALES-LUNA Computer Science, CINVESTAV-IPN, Mexico City, Mexico gmorales@cs.cinvestav.mx gmorales KSENIA LOBAN State University of Telecommunications, St. Petersburg, Russia We consider a scenario where an attacker is able to receive a stegosignal only over a noisy channel under the very strong condition that an attacker may know even the cover message (CM). We propose to use spread-time stegosystem (STS) where the embedding of spread signals into the samples of CM is performed at diversed samples controlled by stegokey. We show that both security and reliability of such STS can be guaranteed and its efficiency can be improved by the use of appropriated chosen error correcting codes. Simulation results with an own STS implementation for digital audio CM are presented. Keywords: Digital audio signal; error correcting codes; noisy Gaussian channel; relative entropy; stegosystems. 1. Introduction Steganography (SG) is the information hiding technique that embeds the hidden information into an innocent cover message (CM) under the conditions that the CM is not corrupted significantly and that the presence of the additional information into the CM may not be detected. In order to prevent statistical detecting attacks on SG systems, it should be guaranteed the following principle: the statistics of the CM and the SG signal have to be indistinguishable for the time limited analysis. But in order to implement this principle, the designer of the SG system should know at least the statistics of the CM. At the same time, it is a rather hard problem to study completely the CM distribution. In order to be successful within this risky situation (which is, indeed, a bottleneck of any SG system), it has been proposed in [Korzhik et al (006)] to move into another concept of SG system setting, namely to SG system based on noisy channels. This setting can be justified only if there exists in a natural manner a noisy 1

2 Korzhik, Morales-Luna, Loban channel and the attacker is able to receive the stegosignal just over this channel, and nothing else. There are a lot of examples where such situation takes place. For the thing: slightly noised musical files which are placed on some sites in the Internet and they are free for reading, audio and video signals in the Skype system where noise is presented due to bad cameras and microphones, speech signals in cell phone communications, etc. Then the attacker s problem consists in statistically distinguishing the CM after its passing over the noisy channel and the SG signal passing over the same noisy channel. It should be emphasized that such model is even stronger than conventional SG systems since CM can be publicized. Thus the steganalysis problem reduces to channel noise recognition within the sum of the channel noise and the embedded signal. Since the channel noise distribution is, as a rule, known much better than the CM distribution, the problem to design SG systems which are resistant to their detection is simplified. In the current paper we adopt a Gaussian channel from the two models given in [Korzhik et al (006)]. The embedding of an information bit b {0, 1} can be provided as n = 1,..., N 0 : C W (n) = C(n) + ( 1) b σ W π(n) (1) where (C(n)) N0 is the CM, (π(n))n0 is a zero-mean Gaussian pseudorandom i.i.d. reference sequence with variance 1, N 0 is the length of both sequences used to embed one secret bit b and σ W 0 is the coefficient that determines the depth of embedding. After a passing of the watermarked signal through the Gaussian channel we get n = 1,..., N 0 : C (n) = C W (n) + ε(n) where ε = (ε(n)) N0 is a zero-mean Gaussian i.i.d. noise sequence with variance σ ε. It has been proved in [Korzhik et al (010)] that both security of such SG (in terms of the relative entropy [Cachin (1998)]) and reliability (in terms of the bit error probability for the extracted information) can be provided by appropriate selection of the parameters σ W and N 0 but it requires the impractical value of η W = σ ε. In order to overskip this unfortunate situation, we propose in section σw the so called spread-time stegosystem (STS). The security and reliability of STS are proved in that section jointly with an optimization of parameters. An improvement at the cost of using error correcting codes is also given there. Section 3 presents the results of STS simulation for digital audio signal with a CM in the WAV format. Section 4 consists of some conclusions and open problems in this direction.. Description of STS and its performance evaluation Let us consider initially an uncoded stegosystem. Let us embed secret bits b as a random modification of the embedding rule (1), namely, n = 1,..., N 0 : Pr [ C W (n) = C(n) + ( 1) b σ W π(n) ] = P 0 Pr [C W (n) = C(n)] = 1 P 0 ()

3 Stegosystems based on noisy channels 3 Fig. 1. Pseudorandom samples for STS embedding, with N s = 8, N = 38, P 0 = 8/38 = 4/19. In practical implementation of the modified embedding rule (), we can simply use a pseudorandom subsequence of samples. Let (n m ) Ns m=1 be an increasing sequence of indexes, N s N, generated also as a secret stegokey K, determining the samples in which the WM s are to be embedded (see Fig. 1). Then for a large value of N we may assume that P 0 = N s /N. For uncoded SG, the same secret bit b is used at N 0 consecutive chosen samples for embedding. Hence the total number of secret bits embedded into N samples for STS is N t = N s /N. Any legal user should know the stegokey K, hence he knows exactly the samples with embedding, and is able to extract one-by-one all the N t secret bits using the decision rule for informed decoder: The optimal decision rule for the embedded bit b, in the case of a Gaussian channel and decoder s CM knowledge, is N 0 { Λ = (C (n) C(n)) π(n) b 0 if Λ 0 = (3) 1 otherwise (we write for simplicity in (3) and also later in similar situations, n {1,,..., N 0 }, while actually we are referring to the stegokey samples, n {n 1, n,..., n N0 }). It is easy to show that for a Gaussian reference sequence π = (π(n)) N0 the error probability of the decision rule (3) is P e = Q ( N 0 η W + ) ( ) N 0 exp (η W + ) where Q : x Q(x) = 1 + π e u du. x An attacker A ignores the stegokey and hence the samples with the WM embedding. In order to take a decision about presence or absence of the SG system under the condition of a known C = (C(n)) N, the attacker A has to perform a testing of two hypothesis. Let (4) δ = (δ(n) = C W (n) C(n)) N (5) and σs = σε + σw. Then the two hypothesis to be tested are: H 0 : [ δ N(0, σε) and is an i.i.d ] (6) { ( Pr δ N(0, σ s ) and is an i.i.d ) = P 0 H 1 : Pr ( δ N(0, σε) and is an i.i.d ) (7) = 1 P 0

4 4 Korzhik, Morales-Luna, Loban The hypothesis testing can be done using the maximum likelihood ratio Λ (Λ 1 Λ 0 ) = P (δ H 1) P (δ H 0), where P (δ H j) is the probability distribution of the random variables (δ(n)) N on the condition that hypothesis H j holds, j = 0, 1. Namely, the optimal hypothesis testing based on maximum likelihood ratio [van der Warden (1957)] is [Λ (Λ 1 Λ 0 ) λ = H 1 ] & [Λ (Λ 1 Λ 0 ) < λ = H 0 ] (8) where λ is some fixed threshold. By substituting into (8) the probability distributions (6)-(7) we get [ N ) P 0 exp ( δ(n) πσ s σs + 1 P ) 0 exp ( ] δ(n) πσ ε σε [ N ) 1 exp ( ] λ. δ(n) πσ ε σε This relation can be easily transformed into the following: N ) ] πσε [P 0 πσs exp ( (σ ε σ s) δ(n) σεσ s + (1 P 0 ) λ. By changing the threshold λ in this relation, it is possible to pass to the logarithmic likelihood ratio and Λ L (Λ 1 Λ 0 ) = Λ L (Λ 1 Λ 0 ) = log Λ (Λ 1 Λ 0 ), N ( ) ] σε log [P σ 0 σs exp W σsσ ε δ(n) + (1 P 0 ). (9) The application of the transformed decision rule based on Λ L (Λ 1 Λ 0 ) using (9) is rather hard. We will consider it again something later. But so far let us consider a suboptimal decision rule based on some further reasonable conditions. First of all let us assume, in line with a good security guarantee, σ W << σ ε. Then, a normalization of (9) expresses Λ L (Λ 1 Λ 0 ) as 1 N N [ ( ) ] 1 log P 0 exp ηw δ(n) + (1 P 0 ) σ ε The series expansion of x log(1 + x) up to its linear term produces [ N ( ) ] 1 Λ L (Λ 1 Λ 0 ) = P 0 exp ηw δ(n) N. σ ε The series expansion of x exp(x) up to its linear term renders the following decision rule: ] ] [ Λ λ = H1 & [ Λ < λ = H0 (11) (10)

5 Stegosystems based on noisy channels 5 where Λ = 1 N N δ(n) and λ is some new threshold. The decision rule (11) is sufficiently reasonable because E[δ H 1 ] > E[δ H 0 ] as we will show later. Let us estimate the missing and false alarm probabilities, P m and P fa respectively, for the hypothesis H 1 (presence of the SG system) against hypothesis H 0 (absence of the SG system) under the decision rule given by (11). For enough large N, by the Central Limit Theorem, Λ N(µ j, σ j ) for H j, where µ j = E[ Λ H j ] and σ j = Var ( Λ Hj ), for j = 0, 1. Since σ 1 > σ 0 we get: P m λ 1 πσ 0 exp ( (x µ 1) ) dx, (1) σ P fa exp ( (x µ 0) ) dx. (13) πσ 0 λ Let us select the threshold λ in such a way that the condition P m = P fa = P is fulfilled. After simple transforms of eq s (1)-(13) it is obtained ( ) µ1 µ 0 P Q. (14) σ 0 Necessarily the following identities should hold: σ 0 µ 0 = σ ε ; µ 1 = σ ε + P 0 σ W ; σ 0 = N σ4 ε. (15) ( ) N P By substituting (15) into (14), we get P Q 0 η W, or equivalently, ( ) N P Q s, where, as introduced at the beginning of the current section, N s is the number of samples with embedding. Consequently if asymptotically Nη W N s N, then P 1 and an undetectable stegosystem results. In order to embed m secret bits into N s samples, N 0 = Ns m samples should be selected for embedding each bit. Then the error probability P e after extraction of one bit by a legal informed decoder is expressed by (4). It is necessary to note that in order to extract the secret bits, the legal decoder has to be synchronized with both the reference sequence π, appearing in relation (1), and the pseudorandom sequence determining the samples with embedding. In Table 1 we show the calculation results for some values of parameters N s, N 0, m, P 0 providing P e 10 3 and P 0.4, given some values of N and η W. For enough large N, it is possible to provide a good undetectability (P 0 0.4) and reliability (P e 10 3 ) of the STS and embed up to 3 secure bits. For an implementation of the STS it is necessary to generate a pseudorandom zero-mean Gaussian reference (π(n)) N and a pseudorandom sequence of sample numbers in which the WM s are to be embedded. These sequences should be nonperiodical and non-predictable. Otherwise, this will allow side attacks on the STS. Stream ciphers can be proposed as a technique to generate such sequence. Moreover, the alternating step generator based on three linear feedback registers (LFSR) with

6 6 Korzhik, Morales-Luna, Loban N η W N 0 N s m P 0 = Ns N Table 1. Sets of parameters for STS providing P and P e 10 3 given different values of N 0 and η W. lengths around 18 bits [Menezes et al (1996)] seems to be very suitable for these purposes. Then the length of the stegokey corresponding to the initial states of LFSRs will be about 50 bytes only. Since the values of the reference sequence (π(n)) N are added with Gaussian noise of greater power, it is very questionable that the stegokey can be broken using even sophisticated cryptographic attacks like those which allow to break, for the thing, the stream cipher A5/1, rather than when the stegoanalyst has direct access to the output of the stream cipher generator used in the STS. A harder problem within the implementation of the STS is the necessity to use an informed decoder to extract the embedded information. This means that all samples (C(n)) N0 of the CM should be saved in some memory and next used in decoding procedure absolutely correct (see relation (3)). If the CM is, for instance, a musical file of length 4 minutes in format WAV then the size of the memory should be about 0 MB. Although the memory size does not entail a severe problem in STS implementation, the thing is that getting a clear CM (i. e. without any embedding) can pose a very hard problem for the legal users. Therefore it will be very attractive to use a blind decoder where it is not necessary to use the CM. But since the averaged power of the CM is greater than the averaged power of Gaussian noisy which in turn is greater than the power of the embedded signals, it results a dramatic decreasing of the embedding rate [Barni (005)]. In order to overcome this defect, there are well known two main methods within the use of the so called informed encoder. The first of them uses improved spread spectrum signals (ISSS [Malvar et al (001)]). Then instead of (1) we have: n = 1,..., N 0 : C W (n) = C(n) + (β( 1) b λx)π (n) (16)

7 Stegosystems based on noisy channels 7 Fig.. Uniform quantizer with the step. 1 N0 where β, λ are some constants, x = N 0σW C(n)π (n) and n : π (n) = σ W π(n). The decision rule for ISSS is: N 0 Λ = C (n) π(n) b = { 0 if Λ 0 1 otherwise where C (n) = C W (n) + ε(n). We see from (16) that the probability distribution of (β( 1) b λx)π (n) + ε(n) in general differs from a Gaussian distribution and this fact can be used in order to break the SG security. Although it is not easy to establish a deviation against a Gaussian distribution under the noise of greater power, the solution requires further investigations. But even so, SG based on ISSS is maintaining still secure, this method is unable to provide the embedding rate close to the case of an informed decoder. In fact, the probability of bit error by (17) is (as shown in [Malvar et al (001)]) ( N 0 η P = Q. (18) η W 1 ( ) where η = σ C, σ σw C = Var (C(n)) N0. We see from (18) that it can be close to the relation (4) for the informed decoder only in the case of a very large N 0, namely N 0 >> η. The second method to implement a blind decoder is known as quantization projective modulation (QPD) [Pérez-Freire (005)]. The embedding procedure is ) (17) n = 1,..., N 0 : C W (n) = C(n) + 1 N 0 (Q b (x) x)π(n) (19) where x = N 0 C(n)π(n) and Q b is an uniform quantizer with step, taking alternating points (see Fig. ) depending on b. The decision rule for QPD is: b = arg min x Q b (x ), (0) b {0,1} where x = N 0 C (n)π(n), and is the Euclidean norm in the real space. We see from (19) that QPD, also similar to ISSS, entails a deviation of the STS samples from Gaussian distribution and this property offers an attack on the SG, hence this should be investigated in more detail.

8 8 Korzhik, Morales-Luna, Loban The probability of bit error by the decision rule (0) is approximately [Pérez- Freire (005)]: ( ) 3 P e = Q 4 N 0. (1) η W 1 We see that the value P e given by (1) is enough close to the relation (4) for an informed decoder but it has been proved under some approximation which requires still further investigations. In order to improve the STS efficiency it is possible to use coded STS. Then an embedding procedure such as () has to be replaced as follows: Given a CM C = (C(n)) N, let C W = (C W (n)) N be such that for each sample index n j with embedding Pr [ C W (n j ) = C(n j ) + ( 1) bij σ W π(n j ) ] = P 0 Pr [C W (n j ) = C(n j )] = 1 P 0 where b ij is the j-th bit in the i-th codeword of length N 0 = N s /l, with l a positive integer value. We will restrict our attention to binary linear systematic (N 0, k, d)-codes, varying i in the interval {1,,, k 1, k }, with d the minimal code distance. In this setting the informed decoder takes a decision about the embedding of the i-th codeword by making i = arg max 1 i k N 0 j=1 (C W (n j ) C(n j )) ( 1) b i j π(n) The total number of secure embedded bits is m = kl and the block-error probability P be, based on well known union bound [Macwilliams et al (1983)], is: ( ) ( ) P be ( k d d 1) Q exp + η W ( + η W ) + R N 0 ln. Since signal-to-noise ratio η 1 W is typically small, we will restrict our consideration only to two classes of linear error correcting codes: the simplex codes (SC) and the Reed-Muller codes (RMC) [Macwilliams et al (1983)]. For the first class the main parameters are: N 0 = ν 1, k = ν, d = ν 1, R = ν N 0, where ν is some integer; whereas for the second class: N 0 = ν, k = r ( ν i=1 i), d = ν r, where ν 3 and r is an integer, the so called order of the RMC. Now we can fix the total number of samples N, the security level P, the blockerror probability P be, the parameter η W and then to optimize the code parameters N 0, ν and r in order to provide the maximum possible number m of secure and reliable embedded bits. Example.1. Let us take N = 10 7, P 0.4, P be 10 3, η W = 0. Then we get for the class of SC the optimal parameters ν = 10, k = 10, the total number of secret bits m = k Ns N 0 = 44. If we require more reliable extraction then we get, for

9 Stegosystems based on noisy channels 9 the class of RM codes, the optimal parameters ν = 14, r =, k = 105 and for the same restrictions P 0.4, η W = 0, the total number m of embedded secret bits is about 90 with P be So, we can conclude that the use of error correcting codes results in either an increment in the number of secure embedded bits or in an improvement of reliability. Let us find out whether the use of the optimal decision rule (10) can provide an appreciable improvement of STS detecting in comparison with the suboptimal decision rule (11). Since N is sufficiently large, we can apply the Central Limit Theorem to the sum in (10). Then similar to the proof of (14) we get for such a choice of the threshold λ, which provides P m = P fa = P the following upper bound ( ) µ1 µ 0 P Q () σ 0 where, for j = 0, 1, and where µ j = E [ ( log σ 0 = 1 ) ((s(n)) N Var N H j = 1 N ( ( ) )) δ(n) N P 0 exp η W σε + (1 P 0 ) ( [ ( E (s(n)) ) N ( ( ) ) δ(n) s(n) = log P 0 exp η W σε + (1 P 0 ) ] H j ] ) H j µ 0, and the random values δ(n) have the probability distributions given by (5). Since it is very hard to find analytically the values µ 0, µ 1 and σ 0, we estimate them just by the simulation of the above described procedure. In Table there are presented the simulation results for µ 0, µ 1 and σ 0 and the calculation of P by () for typical values of σε, η W and P 0. It can be seen that the use of the optimal decision rule does not break undetectability of STS, hence it can be declared as a secure SG system indeed. 3. Simulation of STS for audio cover messages We use an audio music file in format WAV where the sample frequency is 44.1 khz with duration about 9 sec. The CM signal-to-noise ratio η c = σ C σ has been ε taken as 10 db, whereas the noise-to-watermark ratio (NWR) η W was 0 db. The embedding rule was taken as (), where P 0 = 0.1. In Fig. 3 the wave forms of the original audio signal, audio signal after passing over a noisy channel and after secret message embedding are presented at the same time interval. One can see that the noise corrupts slightly the audio signal and this fact can also be appreciated by human ear, whilst, at the same time, the embedding procedure is not observable.

10 10 Korzhik, Morales-Luna, Loban N σ ε η W ( ) P 0 = Ns N µ 0 µ 1 σ 0 P = Q µ1 µ 0 σ Table. Results of simulations for values of µ 0, µ 1 and σ 0 versus typical values of σ ε, η W and P 0. Moreover, in Fig. 4 the waveforms of channel noise are shown, as well as this noise after embedding with straining in time confirming this fact. (Of course we do not claim that the impossibility to detect the SG system either by ear or by eye, is enough to prove its security by the best statistical methods. We have proved indeed this fact in the previous section). In Table 3 we present the results of simulation for the error probability P e versus the block length N 0 and η W. The error probability P e calculated by eq. (4) is also presented in this Table. There, we can see that the reliability of STS obtained by simulation is even better than the theoretical estimated bound.

11 Stegosystems based on noisy channels 11 Fig. 3. (a) The waveforms of audio signal, (b) audio signal after its passing over noisy channel with CM signal-to-noise ratio η c = 10dB, and (c) after embedding by STS algorithm with NW R = 0dB. The arrows show the samples with embedding. Fig. 4. (a) The waveform of channel noise and (b) same channel noise after embedding with rule ().

12 1 Korzhik, Morales-Luna, Loban η W N 0 P e Pe Table 3. The results of calculations for the error probability P e obtained after decoding by rule (3) and the theoretical error probability P e calculated by eq. (4), for different parameters η W and N Conclusions In the current paper we proposed some modification of the stegosystem based on noisy channel called spread-time stegosystem (STS). The goal of the STS is to provide such a NWR able to be implemented in practice, especially with digital cover messages. We prove that both STS security and reliability of secure bit extraction can be provided by an appropriate selection of the system parameters. The main defect of the proposed stegosystem is its low embedding rate which entails longer times for the embedding of a limited number of secret bits. The used error correcting codes improve this situation but only slightly. However this is a generic property sacrificed on the altar of undetectability and an attacker s knowledge of the CM. We show that the suboptimal SG system detection (see eq. (11) is practically as much efficient as the optimal (based on the maximum likelihood ratio). Simulation of the STS with audio CM shows that its detection by ear and eye is impossible, whereas the embedded bits can be extracted reliably. The first of open problems which we are going to consider in the near future is to specify security of STS for digital CM after saving the stegosignal in different formats. The second problem considers an extraction of secret bits by a blind decoder (in particular using the quantization projective modulation [Pérez-Freire (005)]) while keeping a good undetectability of STS. References Barni, M., Bartolini, F. (005). Watermarking System Engineering, Marcel Dekker. Cachin, C. (1998). An information-theoretic model for steganography, in International Workshop on Information Hiding Springer LNCS, pp Korzhik, V., Lee, M. H., Morales-Luna, G. (006). Stegosystems based on noisy channels, in Proc. IX Spanish Meeting on Cryptology and Information Security. Univ. Aut. Barcelona, pp Korzhik, V., Morales-Luna, G., Loban, K. (010). Undetectable Spread-time Stegosystem Based on Noisy Channels, in International Multiconference on Computer Science and Information Technology - IMCSIT 010, Proceedings, Wisla, Poland, 18-0 October 010, pp Macwilliams, F. J., Sloane, N. J. A. (1983). The Theory of Error-Correcting Codes, ser. North-Holland Mathematical Library. North Holland. Malvar, H. S., Florêncio, D. (001). Improved spread spectrum: A new modulation tech-

13 Stegosystems based on noisy channels 13 nique for robust watermarking, IEEE Trans. on Signal Processing, vol. 51, no. 4, pp Menezes, A. J., Vanstone, S. A., Oorschot, P. C. (1996). Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, USA. Pérez-Freire, L., Pérez-González, O. (005). Spread-spectrum vs. quantization-based data hiding: Misconceptions and implications, in Proceedings of IS&T/SPIE 17th Annual Symposium: Electronic Imaging, Security, Steganography, and Watermarking of Multimedia Contents VII, pp van der Warden, B. (1957). Mathematische Statistik. Springer.

The peculiarities of the model: - it is allowed to use by attacker only noisy version of SG C w (n), - CO can be known exactly for attacker.

Lecture 6. SG based on noisy channels [4]. CO Detection of SG The peculiarities of the model: - it is alloed to use by attacker only noisy version of SG C (n), - CO can be knon exactly for attacker. Practical