COVERT CRYPTOGRAPHY By Tri Van Le A Thesis Submitted in Partial Fulfillment of the Requirements for the degree of Master of Science in Computer Science at The University of Wisconsin-Milwaukee August 1999 COVERT CRYPTOGRAPHY By Tri Van Le A Thesis Submitted in Partial Fulfillment of the Requirements for the degree of Master of Science in Computer Science at The University of Wisconsin-Milwaukee August 1999 Yvo G. Desmedt Graduate School Approval Date Date COVERT CRYPTOGRAPHY By Tri Van Le The University of Wisconsin-Milwaukee, 1999 Under the Supervision of Professor Yvo G. Desmedt ABSTRACT Information hiding is covering sensitive information within normal information. This creates a hidden communication channel between the sender and receiver such that the existence of the channel is unnoticeable. Hidden channels have advantages over the encrypted channels that the anonymity of communication is protected. With the introduction of the Internet and digital document distribution, hidden channels are being used more and more widely. iii In this thesis, we combine the concepts of visual cryptography and information hiding, to create covert cryptography schemes which are perfectly secure and whose decryption process involves primitive technologies only, such as a pair of audio mixeramplier or a projector. We therefore show that it is possible to create simple yet secure schemes which protects not only secrecy but also hide the existence of communication. Yvo G. Desmedt Date iv Acknowledgments I would like to give this work to my parent, who have created the author of this thesis. I would like to thank professor Yvo Desmedt, my advisor, for his understanding and research guidance. He has always been the one who guided me through diculties to the nal completion of my thesis. The idea of employing Moire eect to covert visual cryptography is in fact due to him. I thank professor Levine for referring us to this eect, which later became one important part in my work. I would also like to thank professor George Davida and professor Rene Peralta for the time and fun they shared with me. Thanks to professor Jun Zhang for being my committee member and for proof reading my thesis. Last but not least, I would like to thank Dr. Ethan Munson and to the department stas, who has helped to create a computing environment that enabled us to work eectively. v Contents Acknowledgments v 1 Introduction 1 1.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Information hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Secret sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Concepts and techniques 1 3 5 7 2.1 Software oriented approaches . . . . . . . 2.2 Dedicated hardware approaches . . . . . 2.2.1 Visual cryptography . . . . . . . 2.2.2 Audio and cerebral cryptography 2.2.3 Covert cryptography . . . . . . . 2.3 Basic techniques . . . . . . . . . . . . . . 2.3.1 Sampling . . . . . . . . . . . . . 2.3.2 Fourier transforms . . . . . . . . 2.3.3 Aliasing and Moire patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Covert audio cryptography 7 8 9 12 13 15 15 15 17 20 3.1 Human auditory system . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 Masking eects . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Covert model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi 20 21 22 3.3 Hiding aspect . . . . . . . . . . . . 3.3.1 Perfect secrecy . . . . . . . 3.3.2 Decryption . . . . . . . . . 3.3.3 Common techniques . . . . 3.4 Schemes . . . . . . . . . . . . . . . 3.4.1 Modular amplitude scheme . 3.4.2 Phase shifting scheme . . . 3.4.3 Phase ipping scheme . . . 3.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Covert visual cryptography 4.1 Covert model . . . . . . 4.2 Technique . . . . . . . . 4.3 Moire scheme . . . . . . 4.3.1 Encryption . . . 4.3.2 Decryption . . . 4.3.3 Secrecy . . . . . 4.4 Results and comparison 22 23 24 24 25 25 26 27 30 32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Summary 32 34 35 35 36 37 37 42 5.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Open problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bibliography 42 42 43 vii List of Figures 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Black-white square L . . . . . . . . . . . . . . White-black square R . . . . . . . . . . . . . . Cover picture of Greek character . . . . . . First share of Greek character . . . . . . . . Second share of Greek character . . . . . . . Aliasing eect in one dimensional signals . . . Moire transparency of relative angle 10o . . . Pictural model of covert audio cryptography. . Frequency lter g(t) . . . . . . . . . . . . . . Abstract model of covert visual cryptography Modied elliptical dots used in hiding . . . . . Illustration of decoding operation . . . . . . . Cover picture of Barbara . . . . . . . . . . . . Embedded picture of character T . . . . . . . First share of character T . . . . . . . . . . . Second share of character T . . . . . . . . . . viii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 10 10 11 11 18 19 22 25 33 34 36 38 38 39 40 1 Chapter 1 Introduction In this introduction, we survey basic concepts and ideas of cryptography, information hiding, and secret sharing that are relevant to this thesis. In particular, we review conventional cryptosystems, public key cryptosystems and the one-time pad cryptosystem in Section 1.1, where their implications and securities are also mentioned. In Section 1.2, we provide possible uses of information hiding, then review a number of existing schemes and motivate our work. Subliminal and covert channels, two related but some what dierent concepts, are also mentioned. Finally, in Section 1.3 we present concepts of secret sharing, which help the readers to understand the security of our schemes. 1.1 Cryptography Protecting privacy is becoming more and more a concern in this modern world. Large amount of information needs to be transferred through insecure channels such as the Internet, wireless phones or LANs. The role of cryptography is to convert those insecure channels into secure ones. For privacy protection, data is encrypted by the sender and decrypted by its legitimate receiver. The encryption and decryption process can be performed by either a person, a general purpose computer, or a dedicated hardware device. The original 2 data is called cleartext and the encrypted one is called ciphertext, respectively. In conventional cryptosystems, encryption and decryption are usually products of simple invertible mathematical operations, such as: substitution, transposition, modulo addition and multiplication. Examples of such cryptosystems are the Data Encryption Standard (DES) 29], and prospects for the Advanced Encryption Standard (AES) eort 30]. An important characteristic of conventional cryptosystems is they employ a common key for both encryption and decryption process. Therefore this key must be kept secret to everyone, except the sender and the receiver. It implies that before the communication takes place, the two parties must meet each other in advance, or a secure channel needs to be used for distributing the key. We are thus running into a chicken-egg type problem : in order to build a secure channel, we need to have a secure channel for key distribution. Since 1976, with the introduction of public key cryptosystems by Die-Hellman 17], and independently by Merkle 27], this challenging problem has been solved in principle. In the introduced cryptosystems, the encryption and decryption processes use separate keys. While the key used in the decryption process (called decryption key) is and should be kept secret, the encryption key can be made public, thus the name public key cryptosystems. The crucial advantage of these cryptosystems is : when the receiver's encryption key is public, everyone can start sending messages, by encrypting them with the receiver's encryption key. But only the legitimate receiver, having the corresponding decryption key, can decrypt the messages. Widely known examples of cryptosystems in this category are the RSA 32] and the El Gamal 19] schemes. These systems are based on the hardness of certain computational number theoretic problems, especially, the integer factorization and the discrete logarithm problems. 3 Using information theory, Shannon has proven that there is a theoretically unbreakable cryptosystem 34], namely, the one-time pad cryptosystem invented by Vernam 38]. In this cryptosystem, to encrypt (or to decrypt), one takes an exclusiveor of the cleartext (or the ciphertext) with the key, respectively. As an implication, the lengths of the key and of the ciphertext are equal to that of the cleartext, and the key is non-reusable. 1.2 Information hiding While all the above mentioned cryptosystems have solved the problem of protecting privacy of information content, they have not protected the anonymity of its sender and receiver. In fact, when data is encrypted, its random nature looks strange enough to make it stand apart from normal communications. Thus it perfectly reveals that an encrypted communication is taking place between the two parties. In some other cases, just leaking the existence of communication is enough to render the system unusable. For example, when the drug criminals hear the encrypted communication of the police over cellular phones in the region, they will immediately stop and escape to other regions. In such cases, it is clear that the police wants its communication to be hidden from the drug criminals. In another case, when some vehicle starts its encrypted communication, its exact location can be immediately calculated with two directional radars. In network security, the corresponding problem is called the trac analysis problem. Information hiding is not only used in military and police contexts, but it is also needed in the commercial world. A company needs to protect its vital nancial documents. It can do so, for example, by programming the word processor to hide its identication number in each electronic copy as well as hard copies of every document. Later, if a document is found leaked to another place, i.e. in the news media or at a 4 competing company, the leakage can be traced back to its originator. This is known as the tracing traitors problem 7]. For an abuse of this see e.g. 16, 23]. As digital audio and video content is going to be more dominant over the analog one, copyright protection is also a more serious problem. When the information is digitalized, the price of making a copy goes almost to zero. In fact, with a computer and a few commands, everyone can copy the whole content of a CD or DVD to a magnetic tape, a hard disk, or to another CD or DVD. In the case of the Internet (the Web), it is even easier. Without any high-tech skill, anyone can choose to download, and save an image or music clip with only a mouse click away. Several solutions have been proposed to prevent this, but few, if any, seems to protect the copyright perfectly while still maintaining the quality of the original document 31]. Companies such as IBM, Sony, Microsoft, and AT&T have started collaborating together in seeking ways to hide copyright information into music and video. This copyright information can later be checked by viewing or copying devices. Thus an important requirement for the hiding operation is that it must retain the high quality of the media, at least in the perception of the viewers and listeners. There is another application of information hiding. In many countries, where the use of cryptography are conditional or controlled, individual users still want to protect their privacy, but would not want to be noticed. In such cases, information hiding gives a satisfactory answer to the problem. It hides information to be sent into normal communication. If the hiding is perfect, then even the existence of the secret communication is undetectable, thus privacy of the communication is maximally protected. There have been some approaches to protect anonymity against trac analysis, e.g. Chaum's dining cryptographers problem 10]. In this approach, to protect anonymity of each senders and receivers, everyone needs constantly sending everyone else messages. Of course, this solution is of theoretical interests only. 5 We should also mention some other concepts related to but a bit dierent from information hiding, namely, the concepts of subliminal channel and covert channel. A subliminal channel is a hidden channel in an abused cryptographic protocol 35, 15]. Thus, to a certain extent, one can say that a subliminal channel is a hidden channel in a cryptographic protocol. However, this problem, its context, as well as its techniques are radically dierent. A covert channel, by its denition, is hiding information into other unusual channels, that were not designed to be communication channel. For instance, current CPU or disk load, etc., can be used as a mean of communication among users or processes in a computer system. This concept is studied in highly trusted computer systems, where certain ows of information are to be prohibited, see e.g. 25]. 1.3 Secret sharing In reality, rights and powers in corporations and organizations are usually shared among a number of parties. The purpose of secret sharing is to realize such sharing systems and their variants in a cryptographic way, under various malicious attacks from both insiders and outsiders, as well as natural errors. In the secret sharing model, such a right or power usually resolves to the possession of certain secret information, in particular a cryptographic key. For example, in a banking system, one wants that any coalition of two or more vice presidents can open the vault, but not any single of them. This gives the exibility that, for example, when the bank has 10 vice presidents and 8 of them are sick or on trip, the bank can still continue working with its two remaining vice presidents. This scheme also protects against the existence of a bad vice president, who may try to open the vault for non business purpose of the bank. 6 Secret sharing also nds applications in protecting secrecy and integrity of information. For instance, a company may need to store its precious database securely some where in its oce complex. This database can contains sensitive information, such as customer bases, prots from each products, marketing plan, or even cryptographic keys, etc... If these data are to be stored in a central location, then it creates a single point of failure, which welcomes either denial of service, theft of data, or both of them. Simply replicating the database does not make the problem vanished, because it also increases the chance of theft. A solution to this problem is to share the database into n pieces (also called shares) so that each share will contain no useful information, but only combinations of them will. The shares are then distributed to n dierent locations. Such a sharing scheme is called an m-out-of-n threshold scheme (1 m n) if given any subset of m shares, the original database can be reconstructed, but no useful information can be inferred from a subset of m ; 1 of them. With these terminologies, one can view Vernam's one-time pad cryptosystem as a 2-out-of-2 threshold scheme, where the two shares are the secret key and the ciphertext. To recover the cleartext, one needs access to both the secret key and the ciphertext. 7 Chapter 2 Concepts and techniques In this chapter, we review several approaches to information hiding, how digital information is embedded in text, image, audio, and video. We then recall basic concepts and techniques used in signal processing and computer graphics that are useful for our work later. 2.1 Software oriented approaches In general, software oriented approaches rely on the use of a universal computing device, such as a computer, to encrypt and decrypt hidden information. Although the availability of a computer gives a wider choice of algorithms, it does not imply that the security is better. We will now review them in more details. In the 1980s, document-leaking became a so serious problem that Margaret Thatcher had all her cabinet's word processors programmed to hide their identity in the word spacing of the documents so that disloyal ministers could be traced 1]. Later, the same technique was extended and used by Bell Labs of AT&T to make it easier identifying people who redistribute electronic documents 24]. The identifying marks were encoded in line spacing, word spacing, and some font features. An old method for hiding information in text (called covertext) is based on synonyms of words 22]. In a variant 9], given any English text, one transforms the text 8 into some new text, called stegotext, with the same meaning, but whose words are substituted with their synonyms. The choice of synonyms for substitution is free, hence can be used to store one or several bits there. To decrypt, one just looks up words in the synonym list, or the code book. This method is in fact an improved version of a similar method described in 39], which does not preserve the meaning of the covertext, but its character and digraph statistics only. A simple and well known method for hiding information in audio and video content is to use the least signicant bits (LSBs) in the sampled values. Changing some LSBs does not result in a noticeable degradation in an image or an audio stream. Thus the LSBs can be used to store hidden information instead. This method oers a relatively high communication bandwidth. For example, in the case of a 24-bits real color picture, the bandwidth of the hidden channel can be as much as one tenth of the original channel's 18]. Although this scheme, as well as the schemes described above, were able to hide some information into innocuous looking covertext, they are not secure in the sense that any one having access to the stegotext can decrypt the hidden information. Similar methods, such as putting hidden data in certain elds of a compressed le, or of a communication protocol, are also insecure for the same reason. A better method is to hide information into certain statistics of some secret random sample of points in an image, which is the approach of Patchwork algorithm 3]. 2.2 Dedicated hardware approaches In contrast to software oriented approaches, these approaches do not rely on any universal computing device. They use much simpler hardware to decrypt the hidden information. This is especially useful in some cases. For example, when a center wants to distribute information to many clients then the less expensive hardware used in the 9 clients, the better. This is the case of broadcasting, smart-cards, and other terminal devices. 2.2.1 Visual cryptography In 1994, Naor and Shamir 28] have opened the door to cryptographic computation which can be done without the use of a computer, e.g. by transparencies. Their research has mainly focussed on guaranteeing privacy, and the decryption requires only primitive technology. Although a computer is needed to generate the ciphertext and the key, having no need for a computer to decrypt, one can also verify the correctness of the encryption computation. We demonstrate that this idea can be extended further, towards computations in which one has more properties than just the requirement of privacy, i.e. covert. The way visual cryptography achieves its goal is by having the key and the ciphertext (in secret sharing's words, the secret shares of the cleartext 5, 33]), correspond to points printed on respective transparencies. By stacking one on top of the other, the cleartext is revealed. The following is a more detailed description of the scheme. The secret picture is a binary picture. For each point in the secret picture, if it s black, then with probability one half, the two corresponding points in share-1 and share-2 are encoded as the pair (L R). And with probability 1=2, they are encoded as the pair (R L), where L is the square in the gure 1, and R is the square in the gure 2. Otherwise, i.e. if the point in the secret picture is white, then the two corresponding points in share-1 and share-2 are encoded as the pair (L L) with probability 1=2, or as the pair (R R) with probability 1=2. To decrypt, one stacks one transparency onto the other. The secret picture will then show up in the following manner. Each black point is shown as a completely black square, while each white point is shown randomly as one of the two squares in the gures 1 and 2. Note that, one needs to be carefully stacking the two transparencies 10 Figure 1: Black-white square L Figure 2: White-black square R together so that the points in the shares are paired correctly with each other. To give an idea of how this method works, we give here an example taken from 37]. In the example, the gure of a Greek letter (gure 3) is split into two shares, which are gures 4 and 5, respectively. Their combination using transparencies will reproduce the letter in a random background. A major disadvantage of visual cryptography, as pointed out by for example, Figure 3: Cover picture of Greek character 11 Figure 4: First share of Greek character Figure 5: Second share of Greek character 12 Desmedt-Hou-Quisquater 14], is that random transparencies stick out from real pictures. Also Biham 4] recently addressed this issue, but the obtained ciphertext (and key) transparency is dierent enough from normal ones to allow a censor to block the delivery. Steganography, which may be older than cryptography 22], solves this problem. However, in many schemes the privacy is not perfect and many such schemes have recently been broken 2]. 2.2.2 Audio and cerebral cryptography Desmedt-Hou-Quisquater combined the concept of visual cryptography with steganography to obtain some other schemes, which are now described in more details. In the rst scheme, the shares (ciphertext and the key) look like normal pictures. For each share, a subset of lines and columns are deleted from the picture so that when they are combined by looking through a 3-D viewer (similar to an old Viewmaster), a stereo-gram is obtained. The encrypted cleartext will then show up as square blocks, randomly up or down relative to the background 14]. The scheme uses some interesting trick to deceive the human visual system (HVS) into 3-D perception of some objects. The point is when an object is visible to one eye but the other, the HVS automatically assumes that the object is lower or higher in the scene, comparing to those that are visible to both eyes at the same time. Using this knowledge, if each share is seen by one eye separately (i.e. as done in a 3-D viewer or an old Viewmaster), then one can control which portions are going to be seen by each eye. Consequently, one can trick the brain to an illusion that some blocks in the picture are up or down, while some others are normal. These up/down blocks are then used to encode the secret information. In the second scheme, i.e. binary audio cryptography, the ciphertext and the key correspond to music whose phases have been changed. If the corresponding bit in cleartext is 1, then the two pieces of musics in the two respective shares will be in 13 phase, otherwise they will be out of phase. Hence when heard together, a bit 1 in the cleartext will correspond to a constructive interference of the two shares, whose net eect is an increase in the amplitude of the combined music. And a bit 0 in the cleartext will then correspond to a destructive interference of the two shares. This results in a decrease of amplitude in the combined music. 2.2.3 Covert cryptography Since human voice or real pictures are much better means of communication between a human user and a cryptographic device, we want to develop simple cryptosystems whose plaintexts are not barely binary digits, but higher level languages such as voice or images. In other words, we look for information hiding schemes with the following properties: Secrecy: the information sent is protected from unwanted eyes. Covert: the existence of the secret channel is invisible to others. Simple: the decryption involves simple device only. One might question why one needs simple schemes when one already has powerful computers to run the most sophisticated encryption algorithms. It has been known that, in 1997 the Swedish government has discovered a trapdoor built into its internal e-mailing system 26], that broadcast the rst 24 bits of all its private keys into the Internet. This eectively allows the trap-door's creator to decrypt every encrypted email sent by its government. On the other hand, Kleptography 40] also shows how an encryption device can \securely" leaks its private keys to the network without creating any trace. Thus a complex black-box system may not be trusted. In the previous example, neither the reputation of the manufacturer nor the high price of the system seems to protect its 14 integrity. To have a trusted system, one has to build it on his own, or the system must be simple enough so that one is able to check its implementation correctness. The latter is our approach. In the next Chapters, we will describe several techniques used in deriving such schemes. 15 2.3 Basic techniques 2.3.1 Sampling A signal f is mathematically modeled as a continuous real function f (t) on the real domain f : R 7! R , where f (t) denotes the measured value of the signal f at time t. Sometimes it is more convenient to represent the value using complex numbers, then we can consider f (t) as a complex valued function. The function f (t) is called time domain representation of the signal f . While a continuous real function is comfortable for mathematical analysis, it is inconvenient for a digital computer to process. Hence before further processing with a computer, a signal f is rst sampled, usually at a regular grid in the time domain. The sampling operation means taking the values of function f (t) at a discrete time set Lt = fnt jn 2 Zg. This reduces the continuous function f (t) to a discrete set of values ffn = f (nt )g, called samples of f . Parameter ! := 1=t is then called sampling frequency. For a real gray level picture, we use a function f (x y) with two variables x and y indicating the x-coordinate and y-coordinate. The sampling operation on f (x y) is then taking its values at a regular grid Lxy in the space domain: Lxy := f(mx ny ) 2 R 2 j m n 2 Zg (1) Of course, sampling looses a huge amount of information about the original function f (t), unless certain conditions are satised. In the next subsection, we will see when sampling does retain the complete information about function f (t). 2.3.2 Fourier transforms Associate with a signal f , there is also a frequency domain representation of it as a complex valued function F (!), obtained from its time domain counter-part f (t) 16 through Fourier transform: Z 1 F (!) = p1 f (t)e;i!t dt (2) 2 ;1 The time domain counter-part f (t) can be reconstructed from F (!) with the inverse Fourier transform: 1 1 p F (!)ei!tdt (3) f (t ) = 2 ;1 If the signal f is nite energy and periodic of 2, we have the Fourier series representation: 1 a 0 f (t) = 2 + an cos(nt) + bn sin(nt) (4) Z X n=1 where the constants an bn are determined by the integrals: Z Z 1 b = an = 1 2 0 f (t) cos(nt)dt (5) 2 (6) 0 f (t) sin(nt)dt Note that a generic periodic signal of period T can be made into period 2 by appropriate scaling in the time domain, and that a signal with compact support in the time domain can also be made into periodic signal by repeating itself outside its support. Hence we can practically assume that our signals are periodic of period 2. By rewriting each individual frequency as: n p an cos(nt) + bn sin(nt) = cn cos(nt ; n) (7) where cn = a2n + b2n, and n = arctan (bn=an), we obtain cn and n, which are the amplitude and phase of the nth frequency, respectively. It is convenient then to write the signal f in complex form: 1 f (t) = Re Fneint (8) X n=0 17 where Fn = cnein , is the complex number, whose absolute value cn, denoted as abs(Fn) is the amplitude, and whose argument n, denoted as arg Fn, is the phase of the nth frequency eint . In other words, Fn is the coecient of the nth frequency in the signal f (t). Assuming that the signal f (t) is band-limited and periodic with period 2, then by Nyquist theorem 36, 8], we know that if f is sampled at sampling frequency N = 1=t , then its time domain representation f (t) can be restored up to frequency N=2: f (t) = XF e N n n=0 int (9) To compute these Fourier coecients Fn from the samples fn, we have the discrete Fourier transform (DFT) 36]: Fk = p1 N X f e; N n=0 n (2i=N )kn (10) and inverse discrete Fourier transform (i-DFT) to go back to the samples: fn = p1 N XF e N k=0 k (2i=N )nk (11) Cooley and Tukey 's theorem gives fast algorithms to evaluate these transform in O(N log(N )) time 11]. 2.3.3 Aliasing and Moire patterns In the gure 6, a 10Hz sinusoidal signal sin(10t) (the one on top) is sampled at a slightly dierent frequency, namely 11Hz. The resulting sampled signal is then sin(t), radically dierent from the original one. This is known as the aliasing eects in sampling. The following should explain this in more details. If we look at the inverse DFT's formula (11), all the frequencies k + nN (n = 0 1 2 :::), which represents in f (t), are accumulated in coecient Fk . Thus if the 18 Figure 6: Aliasing eect in one dimensional signals signal f does not have any frequency higher than Nyquist limit, the coecient Fk is the exact coecient of the k-th frequency. Otherwise, it also accumulates coecients of higher frequency in it, namely, k + N , k +2N , k +3N , etc... An illustrating example of this eect is when a signal f of single frequency sin(!t) is sampled at frequency ! + 1. Then the reconstructed signal f 0(t) is simply sin(t) 6= sin(!t). The same thing happens to sampling of two dimensional signals, i.e. real picture. If a picture containing good amount of some high frequency, is sampled at a frequency slightly dierent from that frequency, then the high frequency portion in the picture becomes a low frequency pattern in the sampled picture, know as Moire pattern, see e.g. 21]. These eects are thus results of under sampling. In the next paragraph, we will see that these eects also occur in other dierent situations. 19 Figure 7: Moire transparency of relative angle 10o Moire transparencies When we superimpose one transparency onto another, the resulting transparency is the multiplicative and of the two component transparencies (i.e. denoting 1's for white dot and 0's for black dots). This is nothing else but sampling one transparency at the locations of white points on the second transparency. So if the set of white points on two transparencies are relatively regular, i.e. they contain a big amount of high frequencies (called H1 and H2 respectively) and that these two sets are relatively dierent (H1 H2) then they also create Moire patterns in the resulting transparency (H1 and H2 ) is a low frequency. For example, by stacking two copies of the same transparency, where one is slightly rotated relatively to the other, then we see the Moire patterns. Figure 7 illustrates this. Note that dierent angles of rotation create dierent relative dierences in the frequencies of the two respective transparencies, hence create dierent Moire patterns. 20 Chapter 3 Covert audio cryptography In this chapter, we study techniques to hide secret speech into other audio channels, such as music and radio. Since we are trying to hide information, while keeping the original audio signal as much as possible, it is relevant to understand how the human auditory system (H.A.S.) functions, where are its hidden places. We then give in section 2 a schemes for hiding a speech in a host audio signal, making use of the masking eect. In section 3, we provide two other hiding schemes which employ the indierence of the H.A.S. with respect to phase shifting, and especially, to the negation of audio signals. 3.1 Human auditory system The human auditory system is a complex system consists of the ears, communication links to the brain, and the brain itself 36]. The ears act as microphones, receive air waves from the environment, convert them into electrical pulses and then send them through the communication links to the brain for further cognitive processing. Modern research shows that the human ears work in real-time as a frequency analyzer 36]. They have a set of nerves, each one has a hair of dierent lengths and, thus, resonates to dierent frequencies. Usually, the outer nerves have longer hair and, therefore, resonate to lower frequency. Because each hair can only resonate to 21 a specic frequency, the set of auditory nerves and their hairs make up a real-time frequency analyzer which sends the power level of each frequency to the brain in the form of impulsive signals. This is the reason why the human ears are sensitive to the power level of each individual frequency but not the phases individually. Only the relative phases among frequencies would be important to the ears and the brain. Hence, when we shift each frequency by the same phase, then the new audio signal is indistinguishable to the human auditory system. In our tests, when we choose a small number of samples (i.e. 512-1024) for doing DFT, the phases of the signal can be shifted by any angle with very little distortion in the quality of the resulting signal. It is known that the phase information is more important than the amplitude information in forming the sound. This is also true in the picture domain, see e.g. 21]. However, when the DFT size is small, i.e. 512 points, the amplitude information becomes more important. These will be used later in two of our techniques. 3.1.1 Masking eects Our goal is to seek for some candidates to hide another audio signal from the human auditory system to hide another signal. One of the good candidates for such a place is the masking eect happening in the human brain. This eect appears when both very high and very low power level signals are present. The high power signal tends to mask out the low power one. This is clearly demonstrated in the case where we are having a phone conversation from a mobile phone in the street and a sudden big truck comes by. While the truck is passing we cannot hear anything on the phone. Although the masking eect is greater at higher and lower frequencies, it does appear at every frequency in the audible range 20]. We can use this fact later to choose the best power spectra for the carrying signal. Physics brings us a noise-canceling eect, also used in 13]. When signals of the 22 Figure 8: Abstract model of covert audio cryptography. same power are out of phase and played together, two signals will cancel each other out. So we will not hear anything then. 3.2 Covert model Figure 8 illustrates model of covert audio cryptography. In the gure, the embedded audio signal is rst split into two signals, called pre-shares, so that their sum resembles the embedded signal, but each of them is independent of the embedded signal. There are three algorithms to do this, described in more details in the next sections. The pre-shares are then added to the cover signal to create the actual shares. 3.3 Hiding aspect In the rst two methods (the phase shifting and frequency ipping methods), we applied DFT on only 512 samples. This introduced what is known as frequency leaking 36, 8], which implies a degradation when computing the inverse transform. In order to avoid this problem we did not apply the DFT on the cover (e.g., the music), but only on the message (the speech). This way we avoided frequency leakage impacts on the audio quality of the shares. 23 First we let m00 (t) be the original message signal, but slightly modied to m0(t), depending on the method, as we will explain later. To guarantee that the shares are audible, we created temporary pre-shares from the (modied) message signal m0(t). We call their sum m(t), i.e., m(t) = s1(t)+ s2 (t). To recover the message we evidently need m(t) sounds very similar to the original message signal. The actual shares are made by mixing the pre-shares with the covering signal c(t), e.g. a music signal, as follows: share1(t) = ks1 (t) + (1 ; k)c(t) share2(t) = ks2 (t) + (k ; 1)c(t) where k is some small positive constant chosen between 0 and 1. It was chosen small enough so that the masking eect occurred, thus hides the pre-shares into the cover. We note that this addition is done in the time domain. 3.3.1 Perfect secrecy To guarantee perfect secrecy we obviously need s1(t) and s2 (t) to be independent of the message, as in 34]. De nition 1 Given signals m00 (t) s1(t) s2(t). We call the following statements 8t0 m00 2 R : P m0 (t0 ) = m00 s1] = P m0 (t0 ) = m00 ]P s1 ] 8t0 m00 2 R : P m0 (t0 ) = m00 s2] = P m0 (t0 ) = m00 ]P s2 ] secrecy condition. It was not easy to achieve this condition for our setting, as will be evident later. Some of the schemes we developed had to be rejected, since they did not satisfy perfect secrecy. Moreover we need to be careful, since s1(t) and s2(t) are analog signals and perfect secrecy over the reals is impossible 6]. By working with discrete values and choosing discrete random values we avoided the last problem. 24 3.3.2 Decryption The decryption method used in audio cryptography in 13] consisted of playing the rst share on speaker one and the second share on speaker two. Theoretically this should work for our non-binary audio crypto-systems, too. Indeed, share1 (t) + share2(t) = k(s1(t) + s2(t)) = km(t). However, tests have demonstrated that this does not work. There are two problems. First the mixing obtained is not good enough, and so one only hears the cover (the music). In order to solve this problem an inexpensive audio mixer suces. Secondly, even using an audio mixer, one is still unable to hear the message. The reason is that k is so small, we cannot hear the message clearly. This is solved using an (old fashioned) amplier. In Section 3.5 we will report in more details on the tests. Note that the result of the decryption method is m(t) the modied message. As long as m(t) sounds similar to the original message, we have achieved the decryption goal. 3.3.3 Common techniques In the following sections, we choose a xed lter, g(t), with non-at power spectra, where the lower and higher frequencies get more power than the middle ones, as in gure 9. This curves was chosen based on the human ears' sensitivity to each frequencies. In the last two methods (the phase shifting and phase ipping methods), we modify the original message m00(t) as follows. First m0 (t) := m00(t). Secondly, for all !: if abs(M 00 (!)) > abs(G(!)) we make abs(M 0 (!)) = abs(G(!)). In the rst method m0(t) = m00(t). How m(t) depends on m0(t) will be explained in a moment. 25 1 0.8 0.6 0.4 0.2 00 5000 10000 Frequency 15000 20000 Figure 9: Frequency lter g(t) 3.4 Schemes 3.4.1 Modular amplitude scheme In this method we pretend that the signals belong to the reals modulo a number. We compute the pre-shares this way, which will create errors when decrypting. Theorem 1 Assuming that m0 (t) is the original message and f > 1 and abs(m) < max, then the signals s1(t) and s2 (t) determined by the following formula: s1(t) 2R ;(max + 1) 0) s2(t) = m(t)0 =f ; s1 (t)( mod max) satisfy the secrecy condition. The probability that m(t) = s1 (t) + s2 (t) 6= m0 (t) is less or equal to 2=f 1 . 1 One can choose an integer element with uniform probability in the range ;(max + 1)..;1 26 Proof This is one-time pad over the reals modulo max, so secrecy condition is automatically satised. Now, P m=f ; s1 max] = P s1 m=f ; max] P s1 max=f ; max] = 1=f and P m=f ; s1 < 0] = P m=f < s1] P ;max=f < s1] = 1=f . These are the only cases where a reduction modulo max is done. 2 3.4.2 Phase shifting scheme The phase of the rst pre-share is chosen uniformly random modulo 2. The amplitude of the pre-shares corresponds to the one of g(t). Using elementary properties of trigonometry we guarantee that the amplitude of the sum of the pre-shares is the same as that of the message. Using the properties of the human auditory system (see Section 3.1) the resulting decryption will sound like the original message. Theorem 2 Assuming that m0 (t) is the message modied as explained in Section 3.3.3 and c(t) is the covering signal, and that the signals s1 (t) and s2 (t) are determined by the following formula: S1 (!) = eir1 abs(G(!)) S2 (!) = eir2 abs(G(!)) where r1 2R 0 2) where r2 = r1 + 2 arccos(abs(M!0 )=abs(G! )) modulo 2: then we have the secrecy condition. Moreover, the amplitude of m(t), the sum of the shares, is twice the amplitude of m0(t). Proof Clearly r1 2R 0 2), hence it is uniformly random2 and independent of m0(t). Also r2 ; r1 = 2 arccos(abs(M 0 (!)=G(!))) mod 2 One can choose an element with uniform probability in the interval 0 2). Note that we actually choose r1 as a uniform random (modulo l) multiple of 2=l, where l is an integer. 2 27 is independent of r1, therefore: r2 = r1 + 2 arccos(abs(M 0 (!)=G(!))) mod 2 is also uniformly random and independent of m(t), as follows from a generalization of 34] Consequently, S1 (!) and S2 (!) are independent of m(t), and so are their inverse Fourier transform s1(t) and s2 (t). Now using elementary trigonometry, we obtain M (!) = S1 (!)+S(!) = 2ei(r1 +r2)=2 cos((r2 ;r1 )=2)abs(G(!)) = 2ei(r1 +r2)=2 abs(M 0 (!)=G(!))abs(G(!)) = ei(r1 +r2 )=2 2 abs(M 0 (!)). 2 3.4.3 Phase ipping scheme In this scheme, we use small DFT window so that the amplitude information becomes the dominant one. Since analog signals do not add up modulo 2, as one can do in the one time pad, we had the feeling that such a modulo approach may create a hard to understand decryption (see Sections 3.4.1 and 3.5 for a discussion on this topic). The idea was to work modulo jG(!)j, where G(!) was chosen above, but when a reduction would be needed we replaced the output by zero. That means, we rst choose S1(!) with random phase (modulo 2), and random amplitude (modulo jG(!)j). S2(!) is then the dierence of M (!) and S1(!) (modulo jG(!)). When a reduction modulo jG(!) occurs, i.e. when M (!) ; S1(!) is either greater than jG(!) or smaller than ;jG(!), we set S2(!) to ;S1 (!). This makes the reconstructed M (!) understandable. However, this scheme turned out not to guarantee perfect secrecy. The following modication of this idea, explained in the next theorem, however, maintains the security. 28 Theorem 3 Assuming that m0(t) and g(t) is the message and lter signal respectively. Let r1 and r2 be chosen from the following ranges: r1 2R 0 2) r2 2R ;abs(G(!)) abs(G(!))]3 Then the signals S1 (!) and S2 (! ), determined by the following formulas: M? (!) S01 (!) S002 (!) S02 (!) S1 (!) S2 (!) 2R fabs(M0(!))g = = = = = r2 M? ; r2 if (abs(S002 (!)) G) then S002 (!) else ; S01 (!) eir S01 (!) eir S02 (!) 1 1 satisfy the secrecy condition, . Moreover, the amplitude of M(!), the sum of the shares, is the amplitude of M0 (! ) or zero. Proof For short notations, we drop the variable ! and use the capital letters C G Si Si0 M M 0 S200 only. We also let (x) be a real function over the complexes, which equals 1 when abs(x) G, and 0 otherwise. We need to prove that each of S1 and S2 is independent of M . We do this by rst showing that S01 and S02 are independent of M . Then, because r1 is independent of anything else, it will be straightforward to obtain that S1 and S2 are independent of M . Now S01 := r2 is chosen randomly, independent of anything else, so it is independent of M . For each real value v 2 ;G G] and each complex value 2 C , 29 abs() G, we then compute: P S02 = v k M = ] = P S02 = v k M? 2R fabs()g M = ] = P S02 = v abs(S002 ) G k M? 2R fabs()g M = ]+ P S02 = v abs(S002 ) > G k M? 2R fabs()g M = ] = P S002 = +v abs(S002 ) G k M? 2R fabs()g M = ]+ P S01 = ;v abs(S002 ) > G k M? 2R fabs()g M = ] = P S002 = +v k M? 2R fabs()g M = ]+ P S01 = ;v abs(S002 ) > G k M? 2R fabs()g M = ] = P M? ; r2 = +v k M? 2R fabs()g M = ]+ P r2 = ;v jM? ; r2j > G k M? 2R fabs()g M = ] = P abs() ; r2 = +v]+ P r2 = ;v j abs() ; r2j > G]: But we have: P abs() ; r2 = +v] = P r2 = abs() ; v] = ( (abs() ; v) + (;abs() ; v))=2G and also: P r2 = ;v j abs() ; r2 j > G] = P j abs() ; r2 j > G k r2 = ;v]P r2 = ;v] = P j abs() + vj > G k r2 = ;v]=2G = P jabs() + vj > G]=2G+ P j ; abs() + vj > G]=2G = (2 ; (abs() + v) ; (;abs() + v))=2G so: P S02 = v k M = ] = P abs() ; r2 = +v]+ P r2 = ;v j abs() ; r2 j > G] = ( (abs() ; v) + (;abs() ; v))=2G+ (2 ; (abs() + v) ; (;abs() + v))=2G = 1=G 30 which is independent of . Hence S02 is independent of M . And so is S1 and S2 . Note that if M (!) is simply replaced by jM (!)j in the theorem, then the scheme is insecure. 2 3.5 Discussion We did several tests using a TEAC Model 2 mixer and an Apollo amplier, which are both analog devices. The mixer has four input lines but we needed only two of them. The dynamic range of the amplier is about 40dB. The cover signal is a piece of music from Beethoven's For Elise, and input signal is a speech by President Clinton. Both were sampled at 11025 Hz. All three methods were very well at playing back each of the shares. They are very clean of noises and we almost can not distinguish them from the original music. The following results were obtained when decrypting the ciphertext by playing each pair of the shares together, using the mixer and the amplier. For the phase shifting and phase ipping methods, the speech was clearly understandable. We were not only able to understand the text but also to recognize whose voice it was and the tone of the speaker. For the modulo amplier method, with a linear amplier we clearly heard some clicks. These clicks made it harder to recognize the speech, hence we had a trade-o between the number of clicks and their amplitudes. With a mixer and a nonlinear amplier, however we can overcome this problem. With a little of training, one can easily recognize the voice of the embedded signal. We attached a CD-ROM containing the cover and embedded signals, as well as the resulting modied signals produced by the hiding algorithm. A problem one faced when playing both the shares at the same time is synchronization. We nd that available analog techniques 12] allow one to start playing two audio streams at almost identical times, with timing errors of about 0:3s, much less 31 than we need, i.e. of about 10s. A notable point is that these techniques are widely available not only in the market, but also at homes. 32 Chapter 4 Covert visual cryptography This chapter is devoted to building covert channels in pictures and real images. In Section 1, we give an abstract covert model of our scheme. We then introduce a new technique of forming image on transparencies, namely with an usage of the Moire eect. This technique is then used in in Section 3 to recover embedded picture from a pair of shares (transparencies). In Section 4, we relate our work in covert visual cryptography to the pioneering work of Naor and Samir in visual cryptography. 4.1 Covert model We illustrate the model of covert visual cryptography in gure 10. In the gure, the character R stands for the operation of randomizing embedded picture into two random pre-shares, each of which is independent of the embedded picture. Further more, their combination (with an exclusive-or operation) is the embedded picture. This is one-time-pad technique. It can be done by choosing the rst pre-share uniformly random. The second pre-share is then embedded picture xor the rst pre-share. The character H in the picture stands for the hiding algorithm. It takes two arguments, a real (cover) picture and a random monochrome pattern (these patterns are the pre-shares in our scheme). Algorithm H then formats the normal input picture accordingly to the pattern. It copies each dot in the the original (cover) picture into 33 Figure 10: Abstract model of covert visual cryptography 34 Figure 11: Modied elliptical dots used in hiding the resulting picture and draws them in an elliptical shape. If the corresponding point at the same location in the pattern is black, then the ellipse is rotated 45o, i.e. pointing northwest, otherwise it is rotated 135o, i.e. pointing southwest. These rotated ellipses are shown on gure 11. One on the left corresponds to a black dot, while one on the right corresponds to a white dot, on the pattern. The resulted (share) pictures now look identical to the original (cover) picture because each point in the cover picture is copied to the same location and with the same area in the resulted (share) pictures. The only dierence is that the dots are not discs but ellipses. So only the high frequency were modied, leaving the lower frequencies unchanged. When the sampling frequency is high enough, this dierence is invisible to the human eyes. To recover the embedded picture, the shares are combined together by superimposing one onto another. This is denoted as the operation in gure 10. In the next section, we will study how these rotated dots form the embedded picture in the Moire eect. 4.2 Technique If we denote 0 and 1 for the black dots and white dots respectively, then the combination of two transparencies is a multiplicative dot-wise operation. This is not a group operation on the binary set f0 1g, therefore we cannot use it directly to produce 35 perfectly secure visual shares. In visual cryptography, this problem is overcome by encoding 0 and 1 as random matrices of black and white points, thus makes the share randomly looking. In this thesis, we propose other construction employing the Moire eect. To encode a bit 0 or 1, one uses dierent Moire patterns. As we noted earlier (in Chapter 2), one can produce dierent Moire patterns with dierent angles of rotation, i.e. relative angle between the transparencies. More concretely, we encode a bit 1 (in the recovering phase) as a combination of two small squares, whose dots are rotated by two respective dierent angles. Similarly, to encode a bit 0, we use two squares with dots rotated by same angle. Hence in the resulting combination of the two shares, the embedded picture appears as a picture with one Moire pattern for black areas and another Moire pattern for white areas. So in this technique, it is the Moire pattern that form the embedded picture! while in visual cryptography of Naor and Samir, it is the average gray levels of the squares that form the embedded picture. It has certain advantages that will be discussed in section 4.4. We now give gure 12, in order to illustrate the decoding operation. 4.3 Moire scheme 4.3.1 Encryption Theorem 4 Let C and M be the cover and embedded pictures, respectively. Then the shares S1 and S2 determined by the algorithm: 1. Choose q 2R f0 1gnn. 2. Obtain S1 by rotating the dots of C accordingly to pattern V(q). 3. Obtain S2 by rotating the dots of C accordingly to pattern V(q xor E ) . satisfy the following conditions: 36 Figure 12: Illustration of decoding operation i. Perfect secrecy: S1 and S2 are independent of M . ii. Visual hiding: S1 S2 C . iii. Moire decryption: M Moire (S1 S2). 4.3.2 Decryption The decryption process is particularly simple. We stack the two shares onto each other to create Moire patterns. When Mij = 0, the dots of S1 and S2 inside the square (i j ) are rotated with the angle, i.e. their combination is either LL or RR, where L stands for a 45o rotated ellipse and R stands a 135o rotated ellipse. This gives a Moire pattern of one type. When Mij = 1, the dots of S1 and S2 inside the square (i j ) are rotated with two dierent angles, so their combination is either LR or RL. This gives a Moire pattern of another type, whose texture is dierent from that of the previous one. The embedded picture M is now visible in the Moire pattern. The black areas of M corresponds to texture of one type, while the white areas of M corresponds to 37 texture of another type. The two types of textures are visually dierent so one is able to visually recognize M . 4.3.3 Secrecy Theorem 5 The shares Si produced by the algorithm given in section 4.3.1 are probabilistically independent of the original picture M . This automatically follows from that of the one-time-pad scheme 34] so we need not to include a proof in here. 4.4 Results and comparison We give here a sample input and output of our algorithm. Input to the algorithm is a picture of Barbara (gure 13) as the cover picture, and a picture of the character T (gure 14) as the embedded picture. The produced rst and second shares are given in gures 15 and 16, respectively. Combination of these two shares using transparencies reproduces the character T. We now compare our work to previous work of Naor and Shamir's on visual cryptography 28]. In their scheme, one xes two transparencies onto each other exactly so that the dots will add up correctly. In our scheme, Moire pattern is more stable with respect to rotation and translation. So even if the transparencies are slightly misplaced or rotated, Moire pattern still occurs, i.e. the embedded picture is still visible. In fact, experiments have demonstrated that when one transparency is moving relatively to the other, then the embedded picture becomes more clear. Thus we have improved robustness against errors in the decryption operation. We should also stretch that the shares in our scheme are real pictures, not randomly looking ones like in 28]. 38 Figure 13: Cover picture of Barbara Figure 14: Embedded picture of character T 39 Figure 15: First share of character T 40 Figure 16: Second share of character T 41 The running time of the algorithm is linear in the total size of the input pictures. In practice, the time consuming stage seems to be the printing one. 42 Chapter 5 Summary 5.1 Conclusions Steganography is an ancient art of secret writing, which hides information into other forms of communication. With the introduction of computers, more complicated algorithms became practical. They can oer many more good properties than the original techniques can do, for example proven secrecy. In this work, we have shown that one can achieve perfect secrecy together with a simple decryption, such as the usage of an audio mixer, or a slide projector. Further, the embedded information is human voice or real picture, thus makes it more attractive to use. 5.2 Open problems Three aspects have been addressed in this work: information hiding, secrecy, and simplicity of decryption. It thus opens the following questions: can we use the developed techniques in here for purposes other than encryption, such as authentication, e.g. digital watermarking? Another direction which is also worth of further investigation is to give a general abstract hiding model that also address statistical and computational undetectability of the hiding operation. In the context of digital watermarking, the question is how these techniques resist removal operations! and how 43 one can improve their resistance against such operations. 44 Bibliography 1] R. J. Anderson and F. Petitcolas, On the limites of steganography, IEEE Journal on Special Areas in Communication, 16 (1998), pp. 463{473. 2] D. Aucsmith, ed., Second International Workshop on Information Hiding, 14{ 17 April, 1998, Portland, Oregon, USA, vol. 1525 of Lecture Notes in Computer Science, Berlin, Germany / Heidelberg, Germany / London, UK / etc., 1998, Springer-Verlag. 3] W. Bender, D. Gruhl, N. Morimoto, and A. Lu, Techniques for data hiding, IBM Systems Journal, 35 (1996), pp. 313{336. 4] E. Biham, Lecture notes. Note, September 21-26 1997. 5] G. R. Blakley, Safeguarding cryptographic keys, in 1979 National Computer Conference: June 4{7, 1979, New York, New York, R. E. Merwin, J. T. Zanca, and M. Smith, eds., vol. 48 of AFIPS Conference proceedings, Montvale, NJ, USA, 1979, AFIPS Press, pp. 313{317. 6] G. R. Blakley and L. Swanson, Innite structures in information theory, in Advances in Cryptology: Proceedings of Crypto 82, D. Chaum, R. L. Rivest, and A. T. Sherman, eds., Plenum Press, New York and London, 1983, 23{25 Aug. 1982, pp. 39{50. 7] D. Boneh and J. Shaw, Collusion-secure ngerprinting for digital data, in Advances in cryptology, CRYPTO '95: 15th Annual International Cryptology 45 Conference, Santa Barbara, California, USA, August 27{31, 1995: proceedings, D. Coppersmith, ed., vol. 963 of Lecture Notes in Computer Science, Berlin, Germany / Heidelberg, Germany / London, UK / etc., 1995, Springer-Verlag, pp. 452{465. 8] G. E. Carlson, Signal and linear system analysis, John Wiley & Sons, New York, second ed., 1998. 9] M. T. Chapman, Hiding the hidden : a software system for concealing ciphertext as innocuous text, Master's thesis, University of Wisconsin-Milwaukee, 1997. 10] D. Chaum, The dining cryptographers problem: Unconditional sender and recipient untraceability, Journal of Cryptology: the journal of the International Association for Cryptologic Research, 1 (1988), pp. 65{75. 11] J. W. Cooley and J. W. Tukey, An algorithm for the machine calculation of complex Fourier series, Mathematics of Computation, 19 (1965), pp. 297{301. 12] E. D. Daniel, C. D. Mee, and M. H. Clark., Magnetic Recording, IEEE Press, New York, 1999, ch. Timing errors between tracks. 13] Y. Desmedt, S. Hou, and J.-J. Quisquater, Audio and noise-canceling cryptography, in Rump session of the second Information Hiding Workshop, Lecture Notes in Computer Science, Portland, Oregon, April 15{17 1998, SpringerVerlag. 14] , Cerebral cryptography, in Proceedings of the second Information Hiding Workshop, Lecture Notes in Computer Science, Portland, Oregon, April 15{17 1998, Springer-Verlag. 46 15] Y. G. Desmedt, Subliminal-free authentication and signature, in Proceedings of the Workshop on Theory and Application of Cryptographic Techniques, C. G. G$unther, ed., vol. 330 of LNCS, Berlin, May 1988, Springer, pp. 23{34. 16] , Establishing Big Brother using covert channels and other covert techniques, in Information hiding: rst international workshop, Cambridge, U.K., May 30{ June 1, 1996: proceedings, R. Anderson, ed., vol. 1174 of Lecture Notes in Computer Science, Berlin, Germany / Heidelberg, Germany / London, UK / etc., 1996, Springer-Verlag, pp. 65{71. 17] W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, IT-22 (1976), pp. 644{654. 18] A. L. Donaldson, J. McHugh, and K. A. Nyberg, Covert channels in trusted LAN's, in Proceedings of the 11th National Computer Security Conference, 1988. 19] T. E. Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in Proc. CRYPTO 84, G. R. Blakley and D. C. Chaum, eds., Springer, 1985, pp. 10{18. Lecture Notes in Computer Science No. 196. 20] D. M. Howard and J. Angus, Acoustics and psychoacoustics, Focal Press, Oxford, 1996. 21] B. Jahne, Digital Image Processing: Concepts, Algorithms, and Scientic Applications, Springer-Verlag, Berlin, Heidenberg, third ed., 1998. 22] D. Kahn, The codebreakers: the story of secret writing, MacMillan Publishing Company, New York, NY, USA, 1967. 23] J. Markoff, Microsoft to alter software in response to privacy concerns, The New York Times, (1999). 47 24] N. Maxemchuk, Electronic document distribution, AT&T Technical Journal, 73 (1994), pp. 73{80. 25] J. McHugh, Handbook for the computer security certication of trusted systems, Center for High Assurance Computing Systems, Naval Research Laboratory, Washington, DC, November 1994, ch. Covert Channel Analysis. 26] N. McKay, Spying on spies, Wired News, (1999). Wired Digital Inc. 27] R. C. Merkle, Secure communications over insecure channels, Communications of the Association for Computing Machinery, 21 (1978), pp. 294{299. 28] M. Naor and A. Shamir, Visual cryptography, in Advances in cryptology | EUROCRYPT '94: Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9{12, 1994: proceedings, A. De Santis, ed., vol. 950 of Lecture Notes in Computer Science, Berlin, Germany / Heidelberg, Germany / London, UK / etc., 1994, Springer-Verlag, pp. 1{12. 29] National Bureau of Standards, Data Encryption Standard, U. S. Department of Commerce, Washington, DC, USA, Jan. 1977. 30] National Institute of Standards and Technology, Advanced Encryption Standard (AES) Development Eort, National Institute for Standards and Technology, Gaithersburg, MD, USA, 1998. 31] F. A. P. Petitcolas, R. J. Anderson, and M. G. Kuhn, Attacks on copyright marking systems, in Second International Workshop on Information Hiding, 14{17 April, 1998, Portland, Oregon, USA, D. Aucsmith, ed., vol. 1525 of Lecture Notes in Computer Science, Berlin, Germany / Heidelberg, Germany / London, UK / etc., 1998, Springer-Verlag, pp. 219{239. 48 32] R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, ACM, 2 (1978). 33] A. Shamir, How to share a secret, Communications of the Association for Computing Machinery, 22 (1979), pp. 612{613. 34] C. E. Shannon, Communication theory of secrecy systems, Bell System Technical Journal, 28 (1949). 35] G. J. Simmons, The prisoners' problem and the subliminal channel, in Advances in Cryptology: Proceedings of CRYPTO '83 (1983: University of California, Santa Barbara), D. Chaum, ed., New York, NY, USA! London, UK, 1983, Plenum Press, pp. 51{67. 36] S. W. Smith, The scientist and engineer's guide to digital signal processing, California Technical Publishing, San Diego, CA 92150-2407, 1997. 37] D. R. Stinson, Introductory page on visual cryptography. University of Waterloo, July 1998. 38] G. S. Vernam, Cipher printing telegraph systems for secret wire and radio telegraphic communications, J. Am. Inst. Elec. Eng., 55 (1926), pp. 109{115. 39] P. Wayner, Disappearing Cryptography: Being and Nothingness on the Net, AP Professional, Boston, MA, USA, 1996. 40] Young and Yung, Kleptography: Using cryptography against cryptography, in EUROCRYPT: Advances in Cryptology: Proceedings of EUROCRYPT, 1997.
© Copyright 2024 Paperzz