1. No category

covert cryptography

COVERT CRYPTOGRAPHY
By
Tri Van Le
A Thesis Submitted in
Partial Fulfillment of the
Requirements for the degree of
Master of Science
in
Computer Science
at
The University of Wisconsin-Milwaukee
August 1999
COVERT CRYPTOGRAPHY
By
Tri Van Le
A Thesis Submitted in
Partial Fulfillment of the
Requirements for the degree of
Master of Science
in
Computer Science
at
The University of Wisconsin-Milwaukee
August 1999
Yvo G. Desmedt
Graduate School Approval
Date
Date
COVERT CRYPTOGRAPHY
By
Tri Van Le
The University of Wisconsin-Milwaukee, 1999
Under the Supervision of Professor Yvo G. Desmedt
ABSTRACT
Information hiding is covering sensitive information within normal information.
This creates a hidden communication channel between the sender and receiver such
that the existence of the channel is unnoticeable. Hidden channels have advantages
over the encrypted channels that the anonymity of communication is protected. With
the introduction of the Internet and digital document distribution, hidden channels
are being used more and more widely.
iii
In this thesis, we combine the concepts of visual cryptography and information
hiding, to create covert cryptography schemes which are perfectly secure and whose
decryption process involves primitive technologies only, such as a pair of audio mixeramplier or a projector. We therefore show that it is possible to create simple yet
secure schemes which protects not only secrecy but also hide the existence of communication.
Yvo G. Desmedt
Date
iv
Acknowledgments
I would like to give this work to my parent, who have created the author of this thesis.
I would like to thank professor Yvo Desmedt, my advisor, for his understanding and
research guidance. He has always been the one who guided me through diculties to
the nal completion of my thesis. The idea of employing Moire eect to covert visual
cryptography is in fact due to him. I thank professor Levine for referring us to this
eect, which later became one important part in my work. I would also like to thank
professor George Davida and professor Rene Peralta for the time and fun they shared
with me. Thanks to professor Jun Zhang for being my committee member and for
proof reading my thesis. Last but not least, I would like to thank Dr. Ethan Munson
and to the department stas, who has helped to create a computing environment that
enabled us to work eectively.
v
Contents
Acknowledgments
v
1 Introduction
1
1.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Information hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Secret sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Concepts and techniques
1
3
5
7
2.1 Software oriented approaches . . . . . . .
2.2 Dedicated hardware approaches . . . . .
2.2.1 Visual cryptography . . . . . . .
2.2.2 Audio and cerebral cryptography
2.2.3 Covert cryptography . . . . . . .
2.3 Basic techniques . . . . . . . . . . . . . .
2.3.1 Sampling . . . . . . . . . . . . .
2.3.2 Fourier transforms . . . . . . . .
2.3.3 Aliasing and Moire patterns . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3 Covert audio cryptography
7
8
9
12
13
15
15
15
17
20
3.1 Human auditory system . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.1 Masking eects . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Covert model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
20
21
22
3.3 Hiding aspect . . . . . . . . . . . .
3.3.1 Perfect secrecy . . . . . . .
3.3.2 Decryption . . . . . . . . .
3.3.3 Common techniques . . . .
3.4 Schemes . . . . . . . . . . . . . . .
3.4.1 Modular amplitude scheme .
3.4.2 Phase shifting scheme . . .
3.4.3 Phase ipping scheme . . .
3.5 Discussion . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4 Covert visual cryptography
4.1 Covert model . . . . . .
4.2 Technique . . . . . . . .
4.3 Moire scheme . . . . . .
4.3.1 Encryption . . .
4.3.2 Decryption . . .
4.3.3 Secrecy . . . . .
4.4 Results and comparison
22
23
24
24
25
25
26
27
30
32
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5 Summary
32
34
35
35
36
37
37
42
5.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Open problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bibliography
42
42
43
vii
List of Figures
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Black-white square L . . . . . . . . . . . . . .
White-black square R . . . . . . . . . . . . . .
Cover picture of Greek character . . . . . .
First share of Greek character . . . . . . . .
Second share of Greek character . . . . . . .
Aliasing eect in one dimensional signals . . .
Moire transparency of relative angle 10o . . .
Pictural model of covert audio cryptography. .
Frequency lter g(t) . . . . . . . . . . . . . .
Abstract model of covert visual cryptography
Modied elliptical dots used in hiding . . . . .
Illustration of decoding operation . . . . . . .
Cover picture of Barbara . . . . . . . . . . . .
Embedded picture of character T . . . . . . .
First share of character T . . . . . . . . . . .
Second share of character T . . . . . . . . . .
viii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
10
10
11
11
18
19
22
25
33
34
36
38
38
39
40
1
Chapter 1
Introduction
In this introduction, we survey basic concepts and ideas of cryptography, information
hiding, and secret sharing that are relevant to this thesis. In particular, we review
conventional cryptosystems, public key cryptosystems and the one-time pad cryptosystem in Section 1.1, where their implications and securities are also mentioned.
In Section 1.2, we provide possible uses of information hiding, then review a number
of existing schemes and motivate our work. Subliminal and covert channels, two related but some what dierent concepts, are also mentioned. Finally, in Section 1.3 we
present concepts of secret sharing, which help the readers to understand the security
of our schemes.
1.1 Cryptography
Protecting privacy is becoming more and more a concern in this modern world. Large
amount of information needs to be transferred through insecure channels such as the
Internet, wireless phones or LANs. The role of cryptography is to convert those
insecure channels into secure ones.
For privacy protection, data is encrypted by the sender and decrypted by its legitimate receiver. The encryption and decryption process can be performed by either
a person, a general purpose computer, or a dedicated hardware device. The original
2
data is called cleartext and the encrypted one is called ciphertext, respectively.
In conventional cryptosystems, encryption and decryption are usually products of
simple invertible mathematical operations, such as: substitution, transposition, modulo addition and multiplication. Examples of such cryptosystems are the Data Encryption Standard (DES) 29], and prospects for the Advanced Encryption Standard
(AES) eort 30].
An important characteristic of conventional cryptosystems is they employ a common key for both encryption and decryption process. Therefore this key must be
kept secret to everyone, except the sender and the receiver. It implies that before the
communication takes place, the two parties must meet each other in advance, or a
secure channel needs to be used for distributing the key. We are thus running into
a chicken-egg type problem : in order to build a secure channel, we need to have a
secure channel for key distribution.
Since 1976, with the introduction of public key cryptosystems by Die-Hellman 17],
and independently by Merkle 27], this challenging problem has been solved in principle. In the introduced cryptosystems, the encryption and decryption processes use
separate keys. While the key used in the decryption process (called decryption key)
is and should be kept secret, the encryption key can be made public, thus the name
public key cryptosystems. The crucial advantage of these cryptosystems is : when
the receiver's encryption key is public, everyone can start sending messages, by encrypting them with the receiver's encryption key. But only the legitimate receiver,
having the corresponding decryption key, can decrypt the messages. Widely known
examples of cryptosystems in this category are the RSA 32] and the El Gamal 19]
schemes. These systems are based on the hardness of certain computational number
theoretic problems, especially, the integer factorization and the discrete logarithm
problems.
3
Using information theory, Shannon has proven that there is a theoretically unbreakable cryptosystem 34], namely, the one-time pad cryptosystem invented by
Vernam 38]. In this cryptosystem, to encrypt (or to decrypt), one takes an exclusiveor of the cleartext (or the ciphertext) with the key, respectively. As an implication,
the lengths of the key and of the ciphertext are equal to that of the cleartext, and
the key is non-reusable.
1.2 Information hiding
While all the above mentioned cryptosystems have solved the problem of protecting
privacy of information content, they have not protected the anonymity of its sender
and receiver. In fact, when data is encrypted, its random nature looks strange enough
to make it stand apart from normal communications. Thus it perfectly reveals that
an encrypted communication is taking place between the two parties. In some other
cases, just leaking the existence of communication is enough to render the system
unusable. For example, when the drug criminals hear the encrypted communication
of the police over cellular phones in the region, they will immediately stop and escape
to other regions. In such cases, it is clear that the police wants its communication
to be hidden from the drug criminals. In another case, when some vehicle starts its
encrypted communication, its exact location can be immediately calculated with two
directional radars. In network security, the corresponding problem is called the trac
analysis problem.
Information hiding is not only used in military and police contexts, but it is
also needed in the commercial world. A company needs to protect its vital nancial
documents. It can do so, for example, by programming the word processor to hide its
identication number in each electronic copy as well as hard copies of every document.
Later, if a document is found leaked to another place, i.e. in the news media or at a
4
competing company, the leakage can be traced back to its originator. This is known
as the tracing traitors problem 7]. For an abuse of this see e.g. 16, 23].
As digital audio and video content is going to be more dominant over the analog
one, copyright protection is also a more serious problem. When the information is
digitalized, the price of making a copy goes almost to zero. In fact, with a computer
and a few commands, everyone can copy the whole content of a CD or DVD to a
magnetic tape, a hard disk, or to another CD or DVD. In the case of the Internet
(the Web), it is even easier. Without any high-tech skill, anyone can choose to download, and save an image or music clip with only a mouse click away.
Several solutions have been proposed to prevent this, but few, if any, seems to
protect the copyright perfectly while still maintaining the quality of the original document 31]. Companies such as IBM, Sony, Microsoft, and AT&T have started collaborating together in seeking ways to hide copyright information into music and video.
This copyright information can later be checked by viewing or copying devices. Thus
an important requirement for the hiding operation is that it must retain the high
quality of the media, at least in the perception of the viewers and listeners.
There is another application of information hiding. In many countries, where
the use of cryptography are conditional or controlled, individual users still want to
protect their privacy, but would not want to be noticed. In such cases, information
hiding gives a satisfactory answer to the problem. It hides information to be sent into
normal communication. If the hiding is perfect, then even the existence of the secret communication is undetectable, thus privacy of the communication is maximally
protected.
There have been some approaches to protect anonymity against trac analysis, e.g. Chaum's dining cryptographers problem 10]. In this approach, to protect
anonymity of each senders and receivers, everyone needs constantly sending everyone
else messages. Of course, this solution is of theoretical interests only.
5
We should also mention some other concepts related to but a bit dierent from
information hiding, namely, the concepts of subliminal channel and covert channel.
A subliminal channel is a hidden channel in an abused cryptographic protocol 35,
15]. Thus, to a certain extent, one can say that a subliminal channel is a hidden
channel in a cryptographic protocol. However, this problem, its context, as well as
its techniques are radically dierent.
A covert channel, by its denition, is hiding information into other unusual channels, that were not designed to be communication channel. For instance, current CPU
or disk load, etc., can be used as a mean of communication among users or processes
in a computer system. This concept is studied in highly trusted computer systems,
where certain ows of information are to be prohibited, see e.g. 25].
1.3 Secret sharing
In reality, rights and powers in corporations and organizations are usually shared
among a number of parties. The purpose of secret sharing is to realize such sharing
systems and their variants in a cryptographic way, under various malicious attacks
from both insiders and outsiders, as well as natural errors. In the secret sharing model,
such a right or power usually resolves to the possession of certain secret information,
in particular a cryptographic key.
For example, in a banking system, one wants that any coalition of two or more vice
presidents can open the vault, but not any single of them. This gives the exibility
that, for example, when the bank has 10 vice presidents and 8 of them are sick or on
trip, the bank can still continue working with its two remaining vice presidents. This
scheme also protects against the existence of a bad vice president, who may try to
open the vault for non business purpose of the bank.
6
Secret sharing also nds applications in protecting secrecy and integrity of information. For instance, a company may need to store its precious database securely
some where in its oce complex. This database can contains sensitive information,
such as customer bases, prots from each products, marketing plan, or even cryptographic keys, etc... If these data are to be stored in a central location, then it creates
a single point of failure, which welcomes either denial of service, theft of data, or
both of them. Simply replicating the database does not make the problem vanished,
because it also increases the chance of theft.
A solution to this problem is to share the database into n pieces (also called
shares) so that each share will contain no useful information, but only combinations
of them will. The shares are then distributed to n dierent locations. Such a sharing
scheme is called an m-out-of-n threshold scheme (1 m n) if given any subset of
m shares, the original database can be reconstructed, but no useful information can
be inferred from a subset of m ; 1 of them.
With these terminologies, one can view Vernam's one-time pad cryptosystem as
a 2-out-of-2 threshold scheme, where the two shares are the secret key and the ciphertext. To recover the cleartext, one needs access to both the secret key and the
ciphertext.
7
Chapter 2
Concepts and techniques
In this chapter, we review several approaches to information hiding, how digital information is embedded in text, image, audio, and video. We then recall basic concepts
and techniques used in signal processing and computer graphics that are useful for
our work later.
2.1 Software oriented approaches
In general, software oriented approaches rely on the use of a universal computing
device, such as a computer, to encrypt and decrypt hidden information. Although
the availability of a computer gives a wider choice of algorithms, it does not imply
that the security is better. We will now review them in more details.
In the 1980s, document-leaking became a so serious problem that Margaret Thatcher
had all her cabinet's word processors programmed to hide their identity in the word
spacing of the documents so that disloyal ministers could be traced 1]. Later, the
same technique was extended and used by Bell Labs of AT&T to make it easier identifying people who redistribute electronic documents 24]. The identifying marks were
encoded in line spacing, word spacing, and some font features.
An old method for hiding information in text (called covertext) is based on synonyms of words 22]. In a variant 9], given any English text, one transforms the text
8
into some new text, called stegotext, with the same meaning, but whose words are
substituted with their synonyms. The choice of synonyms for substitution is free,
hence can be used to store one or several bits there. To decrypt, one just looks up
words in the synonym list, or the code book. This method is in fact an improved
version of a similar method described in 39], which does not preserve the meaning of
the covertext, but its character and digraph statistics only.
A simple and well known method for hiding information in audio and video content
is to use the least signicant bits (LSBs) in the sampled values. Changing some LSBs
does not result in a noticeable degradation in an image or an audio stream. Thus
the LSBs can be used to store hidden information instead. This method oers a
relatively high communication bandwidth. For example, in the case of a 24-bits real
color picture, the bandwidth of the hidden channel can be as much as one tenth of
the original channel's 18]. Although this scheme, as well as the schemes described
above, were able to hide some information into innocuous looking covertext, they are
not secure in the sense that any one having access to the stegotext can decrypt the
hidden information.
Similar methods, such as putting hidden data in certain elds of a compressed
le, or of a communication protocol, are also insecure for the same reason.
A better method is to hide information into certain statistics of some secret random sample of points in an image, which is the approach of Patchwork algorithm 3].
2.2 Dedicated hardware approaches
In contrast to software oriented approaches, these approaches do not rely on any
universal computing device. They use much simpler hardware to decrypt the hidden
information. This is especially useful in some cases. For example, when a center wants
to distribute information to many clients then the less expensive hardware used in the
9
clients, the better. This is the case of broadcasting, smart-cards, and other terminal
devices.
2.2.1 Visual cryptography
In 1994, Naor and Shamir 28] have opened the door to cryptographic computation
which can be done without the use of a computer, e.g. by transparencies. Their
research has mainly focussed on guaranteeing privacy, and the decryption requires
only primitive technology. Although a computer is needed to generate the ciphertext
and the key, having no need for a computer to decrypt, one can also verify the
correctness of the encryption computation. We demonstrate that this idea can be
extended further, towards computations in which one has more properties than just
the requirement of privacy, i.e. covert.
The way visual cryptography achieves its goal is by having the key and the ciphertext (in secret sharing's words, the secret shares of the cleartext 5, 33]), correspond
to points printed on respective transparencies. By stacking one on top of the other,
the cleartext is revealed. The following is a more detailed description of the scheme.
The secret picture is a binary picture. For each point in the secret picture, if it
s black, then with probability one half, the two corresponding points in share-1 and
share-2 are encoded as the pair (L R). And with probability 1=2, they are encoded
as the pair (R L), where L is the square in the gure 1, and R is the square in
the gure 2. Otherwise, i.e. if the point in the secret picture is white, then the
two corresponding points in share-1 and share-2 are encoded as the pair (L L) with
probability 1=2, or as the pair (R R) with probability 1=2.
To decrypt, one stacks one transparency onto the other. The secret picture will
then show up in the following manner. Each black point is shown as a completely black
square, while each white point is shown randomly as one of the two squares in the
gures 1 and 2. Note that, one needs to be carefully stacking the two transparencies
10
Figure 1: Black-white square L
Figure 2: White-black square R
together so that the points in the shares are paired correctly with each other. To give
an idea of how this method works, we give here an example taken from 37]. In the
example, the gure of a Greek letter (gure 3) is split into two shares, which are
gures 4 and 5, respectively. Their combination using transparencies will reproduce
the letter in a random background.
A major disadvantage of visual cryptography, as pointed out by for example,
Figure 3: Cover picture of Greek character 11
Figure 4: First share of Greek character Figure 5: Second share of Greek character 12
Desmedt-Hou-Quisquater 14], is that random transparencies stick out from real pictures. Also Biham 4] recently addressed this issue, but the obtained ciphertext (and
key) transparency is dierent enough from normal ones to allow a censor to block the
delivery. Steganography, which may be older than cryptography 22], solves this problem. However, in many schemes the privacy is not perfect and many such schemes
have recently been broken 2].
2.2.2 Audio and cerebral cryptography
Desmedt-Hou-Quisquater combined the concept of visual cryptography with steganography to obtain some other schemes, which are now described in more details.
In the rst scheme, the shares (ciphertext and the key) look like normal pictures.
For each share, a subset of lines and columns are deleted from the picture so that when
they are combined by looking through a 3-D viewer (similar to an old Viewmaster), a
stereo-gram is obtained. The encrypted cleartext will then show up as square blocks,
randomly up or down relative to the background 14].
The scheme uses some interesting trick to deceive the human visual system (HVS)
into 3-D perception of some objects. The point is when an object is visible to one eye
but the other, the HVS automatically assumes that the object is lower or higher in
the scene, comparing to those that are visible to both eyes at the same time. Using
this knowledge, if each share is seen by one eye separately (i.e. as done in a 3-D viewer
or an old Viewmaster), then one can control which portions are going to be seen by
each eye. Consequently, one can trick the brain to an illusion that some blocks in the
picture are up or down, while some others are normal. These up/down blocks are
then used to encode the secret information.
In the second scheme, i.e. binary audio cryptography, the ciphertext and the key
correspond to music whose phases have been changed. If the corresponding bit in
cleartext is 1, then the two pieces of musics in the two respective shares will be in
13
phase, otherwise they will be out of phase. Hence when heard together, a bit 1 in
the cleartext will correspond to a constructive interference of the two shares, whose
net eect is an increase in the amplitude of the combined music. And a bit 0 in the
cleartext will then correspond to a destructive interference of the two shares. This
results in a decrease of amplitude in the combined music.
2.2.3 Covert cryptography
Since human voice or real pictures are much better means of communication between
a human user and a cryptographic device, we want to develop simple cryptosystems
whose plaintexts are not barely binary digits, but higher level languages such as voice
or images. In other words, we look for information hiding schemes with the following
properties:
Secrecy: the information sent is protected from unwanted eyes.
Covert: the existence of the secret channel is invisible to others.
Simple: the decryption involves simple device only.
One might question why one needs simple schemes when one already has powerful
computers to run the most sophisticated encryption algorithms. It has been known
that, in 1997 the Swedish government has discovered a trapdoor built into its internal
e-mailing system 26], that broadcast the rst 24 bits of all its private keys into the
Internet. This eectively allows the trap-door's creator to decrypt every encrypted
email sent by its government.
On the other hand, Kleptography 40] also shows how an encryption device can
\securely" leaks its private keys to the network without creating any trace. Thus a
complex black-box system may not be trusted. In the previous example, neither the
reputation of the manufacturer nor the high price of the system seems to protect its
14
integrity. To have a trusted system, one has to build it on his own, or the system
must be simple enough so that one is able to check its implementation correctness.
The latter is our approach.
In the next Chapters, we will describe several techniques used in deriving such
schemes.
15
2.3 Basic techniques
2.3.1 Sampling
A signal f is mathematically modeled as a continuous real function f (t) on the real
domain f : R 7! R , where f (t) denotes the measured value of the signal f at time t.
Sometimes it is more convenient to represent the value using complex numbers, then
we can consider f (t) as a complex valued function. The function f (t) is called time
domain representation of the signal f .
While a continuous real function is comfortable for mathematical analysis, it is
inconvenient for a digital computer to process. Hence before further processing with
a computer, a signal f is rst sampled, usually at a regular grid in the time domain.
The sampling operation means taking the values of function f (t) at a discrete time
set Lt = fnt jn 2 Zg. This reduces the continuous function f (t) to a discrete set
of values ffn = f (nt )g, called samples of f . Parameter ! := 1=t is then called
sampling frequency.
For a real gray level picture, we use a function f (x y) with two variables x and y
indicating the x-coordinate and y-coordinate. The sampling operation on f (x y) is
then taking its values at a regular grid Lxy in the space domain:
Lxy := f(mx ny ) 2 R 2 j m n 2 Zg
(1)
Of course, sampling looses a huge amount of information about the original function
f (t), unless certain conditions are satised. In the next subsection, we will see when
sampling does retain the complete information about function f (t).
2.3.2 Fourier transforms
Associate with a signal f , there is also a frequency domain representation of it as
a complex valued function F (!), obtained from its time domain counter-part f (t)
16
through Fourier transform:
Z
1
F (!) = p1
f (t)e;i!t dt
(2)
2 ;1
The time domain counter-part f (t) can be reconstructed from F (!) with the
inverse Fourier transform:
1
1
p
F (!)ei!tdt
(3)
f (t ) =
2 ;1
If the signal f is nite energy and periodic of 2, we have the Fourier series
representation:
1
a
0
f (t) = 2 + an cos(nt) + bn sin(nt)
(4)
Z
X
n=1
where the constants an bn are determined by the integrals:
Z
Z
1
b =
an = 1
2
0
f (t) cos(nt)dt
(5)
2
(6)
0 f (t) sin(nt)dt
Note that a generic periodic signal of period T can be made into period 2 by
appropriate scaling in the time domain, and that a signal with compact support in
the time domain can also be made into periodic signal by repeating itself outside its
support. Hence we can practically assume that our signals are periodic of period 2.
By rewriting each individual frequency as:
n
p
an cos(nt) + bn sin(nt) = cn cos(nt ; n)
(7)
where cn = a2n + b2n, and n = arctan (bn=an), we obtain cn and n, which are the
amplitude and phase of the nth frequency, respectively. It is convenient then to write
the signal f in complex form:
1
f (t) = Re Fneint
(8)
X
n=0
17
where Fn = cnein , is the complex number, whose absolute value cn, denoted as
abs(Fn) is the amplitude, and whose argument n, denoted as arg Fn, is the phase of
the nth frequency eint . In other words, Fn is the coecient of the nth frequency in
the signal f (t).
Assuming that the signal f (t) is band-limited and periodic with period 2, then
by Nyquist theorem 36, 8], we know that if f is sampled at sampling frequency
N = 1=t , then its time domain representation f (t) can be restored up to frequency
N=2:
f (t) =
XF e
N
n
n=0
int
(9)
To compute these Fourier coecients Fn from the samples fn, we have the discrete
Fourier transform (DFT) 36]:
Fk = p1
N
X f e;
N
n=0
n
(2i=N )kn
(10)
and inverse discrete Fourier transform (i-DFT) to go back to the samples:
fn = p1
N
XF e
N
k=0
k
(2i=N )nk
(11)
Cooley and Tukey 's theorem gives fast algorithms to evaluate these transform in
O(N log(N )) time 11].
2.3.3 Aliasing and Moire patterns
In the gure 6, a 10Hz sinusoidal signal sin(10t) (the one on top) is sampled at
a slightly dierent frequency, namely 11Hz. The resulting sampled signal is then
sin(t), radically dierent from the original one. This is known as the aliasing eects
in sampling. The following should explain this in more details.
If we look at the inverse DFT's formula (11), all the frequencies k + nN (n =
0 1 2 :::), which represents in f (t), are accumulated in coecient Fk . Thus if the
18
Figure 6: Aliasing eect in one dimensional signals
signal f does not have any frequency higher than Nyquist limit, the coecient Fk is
the exact coecient of the k-th frequency. Otherwise, it also accumulates coecients
of higher frequency in it, namely, k + N , k +2N , k +3N , etc... An illustrating example
of this eect is when a signal f of single frequency sin(!t) is sampled at frequency
! + 1. Then the reconstructed signal f 0(t) is simply sin(t) 6= sin(!t).
The same thing happens to sampling of two dimensional signals, i.e. real picture.
If a picture containing good amount of some high frequency, is sampled at a frequency
slightly dierent from that frequency, then the high frequency portion in the picture
becomes a low frequency pattern in the sampled picture, know as Moire pattern, see
e.g. 21]. These eects are thus results of under sampling. In the next paragraph, we
will see that these eects also occur in other dierent situations.
19
Figure 7: Moire transparency of relative angle 10o
Moire transparencies
When we superimpose one transparency onto another, the resulting transparency is
the multiplicative and of the two component transparencies (i.e. denoting 1's for
white dot and 0's for black dots). This is nothing else but sampling one transparency
at the locations of white points on the second transparency. So if the set of white
points on two transparencies are relatively regular, i.e. they contain a big amount
of high frequencies (called H1 and H2 respectively) and that these two sets are relatively dierent (H1 H2) then they also create Moire patterns in the resulting
transparency (H1 and H2 ) is a low frequency. For example, by stacking two copies of
the same transparency, where one is slightly rotated relatively to the other, then we
see the Moire patterns. Figure 7 illustrates this.
Note that dierent angles of rotation create dierent relative dierences in the frequencies of the two respective transparencies, hence create dierent Moire patterns.
20
Chapter 3
Covert audio cryptography
In this chapter, we study techniques to hide secret speech into other audio channels,
such as music and radio. Since we are trying to hide information, while keeping
the original audio signal as much as possible, it is relevant to understand how the
human auditory system (H.A.S.) functions, where are its hidden places. We then
give in section 2 a schemes for hiding a speech in a host audio signal, making use of
the masking eect. In section 3, we provide two other hiding schemes which employ
the indierence of the H.A.S. with respect to phase shifting, and especially, to the
negation of audio signals.
3.1 Human auditory system
The human auditory system is a complex system consists of the ears, communication
links to the brain, and the brain itself 36]. The ears act as microphones, receive air
waves from the environment, convert them into electrical pulses and then send them
through the communication links to the brain for further cognitive processing.
Modern research shows that the human ears work in real-time as a frequency
analyzer 36]. They have a set of nerves, each one has a hair of dierent lengths and,
thus, resonates to dierent frequencies. Usually, the outer nerves have longer hair
and, therefore, resonate to lower frequency. Because each hair can only resonate to
21
a specic frequency, the set of auditory nerves and their hairs make up a real-time
frequency analyzer which sends the power level of each frequency to the brain in the
form of impulsive signals.
This is the reason why the human ears are sensitive to the power level of each
individual frequency but not the phases individually. Only the relative phases among
frequencies would be important to the ears and the brain. Hence, when we shift each
frequency by the same phase, then the new audio signal is indistinguishable to the
human auditory system. In our tests, when we choose a small number of samples (i.e.
512-1024) for doing DFT, the phases of the signal can be shifted by any angle with
very little distortion in the quality of the resulting signal. It is known that the phase
information is more important than the amplitude information in forming the sound.
This is also true in the picture domain, see e.g. 21]. However, when the DFT size
is small, i.e. 512 points, the amplitude information becomes more important. These
will be used later in two of our techniques.
3.1.1 Masking eects
Our goal is to seek for some candidates to hide another audio signal from the human
auditory system to hide another signal. One of the good candidates for such a place
is the masking eect happening in the human brain. This eect appears when both
very high and very low power level signals are present. The high power signal tends
to mask out the low power one. This is clearly demonstrated in the case where we
are having a phone conversation from a mobile phone in the street and a sudden big
truck comes by. While the truck is passing we cannot hear anything on the phone.
Although the masking eect is greater at higher and lower frequencies, it does appear
at every frequency in the audible range 20]. We can use this fact later to choose the
best power spectra for the carrying signal.
Physics brings us a noise-canceling eect, also used in 13]. When signals of the
22
Figure 8: Abstract model of covert audio cryptography.
same power are out of phase and played together, two signals will cancel each other
out. So we will not hear anything then.
3.2 Covert model
Figure 8 illustrates model of covert audio cryptography. In the gure, the embedded
audio signal is rst split into two signals, called pre-shares, so that their sum resembles
the embedded signal, but each of them is independent of the embedded signal. There
are three algorithms to do this, described in more details in the next sections. The
pre-shares are then added to the cover signal to create the actual shares.
3.3 Hiding aspect
In the rst two methods (the phase shifting and frequency ipping methods), we
applied DFT on only 512 samples. This introduced what is known as frequency
leaking 36, 8], which implies a degradation when computing the inverse transform.
In order to avoid this problem we did not apply the DFT on the cover (e.g., the music),
but only on the message (the speech). This way we avoided frequency leakage impacts
on the audio quality of the shares.
23
First we let m00 (t) be the original message signal, but slightly modied to m0(t),
depending on the method, as we will explain later. To guarantee that the shares are
audible, we created temporary pre-shares from the (modied) message signal m0(t).
We call their sum m(t), i.e., m(t) = s1(t)+ s2 (t). To recover the message we evidently
need m(t) sounds very similar to the original message signal. The actual shares are
made by mixing the pre-shares with the covering signal c(t), e.g. a music signal, as
follows:
share1(t) = ks1 (t) + (1 ; k)c(t)
share2(t) = ks2 (t) + (k ; 1)c(t)
where k is some small positive constant chosen between 0 and 1. It was chosen small
enough so that the masking eect occurred, thus hides the pre-shares into the cover.
We note that this addition is done in the time domain.
3.3.1 Perfect secrecy
To guarantee perfect secrecy we obviously need s1(t) and s2 (t) to be independent of
the message, as in 34].
De
nition 1 Given signals m00 (t) s1(t) s2(t). We call the following statements
8t0 m00 2 R : P m0 (t0 ) = m00 s1] = P m0 (t0 ) = m00 ]P s1 ]
8t0 m00 2 R : P m0 (t0 ) = m00 s2] = P m0 (t0 ) = m00 ]P s2 ]
secrecy condition.
It was not easy to achieve this condition for our setting, as will be evident later.
Some of the schemes we developed had to be rejected, since they did not satisfy perfect
secrecy. Moreover we need to be careful, since s1(t) and s2(t) are analog signals and
perfect secrecy over the reals is impossible 6]. By working with discrete values and
choosing discrete random values we avoided the last problem.
24
3.3.2 Decryption
The decryption method used in audio cryptography in 13] consisted of playing the
rst share on speaker one and the second share on speaker two. Theoretically this
should work for our non-binary audio crypto-systems, too. Indeed, share1 (t) +
share2(t) = k(s1(t) + s2(t)) = km(t). However, tests have demonstrated that this
does not work. There are two problems. First the mixing obtained is not good
enough, and so one only hears the cover (the music). In order to solve this problem
an inexpensive audio mixer suces. Secondly, even using an audio mixer, one is still
unable to hear the message. The reason is that k is so small, we cannot hear the
message clearly. This is solved using an (old fashioned) amplier. In Section 3.5 we
will report in more details on the tests.
Note that the result of the decryption method is m(t) the modied message. As
long as m(t) sounds similar to the original message, we have achieved the decryption
goal.
3.3.3 Common techniques
In the following sections, we choose a xed lter, g(t), with non-at power spectra,
where the lower and higher frequencies get more power than the middle ones, as
in gure 9. This curves was chosen based on the human ears' sensitivity to each
frequencies.
In the last two methods (the phase shifting and phase ipping methods), we
modify the original message m00(t) as follows. First m0 (t) := m00(t). Secondly, for
all !: if abs(M 00 (!)) > abs(G(!)) we make abs(M 0 (!)) = abs(G(!)). In the rst
method m0(t) = m00(t). How m(t) depends on m0(t) will be explained in a moment.
25
1
0.8
0.6
0.4
0.2
00
5000
10000
Frequency
15000
20000
Figure 9: Frequency lter g(t)
3.4 Schemes
3.4.1 Modular amplitude scheme
In this method we pretend that the signals belong to the reals modulo a number. We
compute the pre-shares this way, which will create errors when decrypting.
Theorem 1 Assuming that m0 (t) is the original message and f > 1 and abs(m) <
max, then the signals s1(t) and s2 (t) determined by the following formula:
s1(t) 2R ;(max + 1) 0)
s2(t) = m(t)0 =f ; s1 (t)( mod max)
satisfy the secrecy condition. The probability that m(t) = s1 (t) + s2 (t) 6= m0 (t) is less
or equal to 2=f 1 .
1 One can choose an integer element with uniform probability in the range ;(max + 1)..;1
26
Proof
This is one-time pad over the reals modulo max, so secrecy condition is automatically
satised.
Now, P m=f ; s1 max] = P s1 m=f ; max] P s1 max=f ; max] = 1=f
and P m=f ; s1 < 0] = P m=f < s1] P ;max=f < s1] = 1=f . These are the only
cases where a reduction modulo max is done.
2
3.4.2 Phase shifting scheme
The phase of the rst pre-share is chosen uniformly random modulo 2. The amplitude of the pre-shares corresponds to the one of g(t). Using elementary properties
of trigonometry we guarantee that the amplitude of the sum of the pre-shares is the
same as that of the message. Using the properties of the human auditory system (see
Section 3.1) the resulting decryption will sound like the original message.
Theorem 2 Assuming that m0 (t) is the message modied as explained in Section 3.3.3
and c(t) is the covering signal, and that the signals s1 (t) and s2 (t) are determined by
the following formula:
S1 (!) = eir1 abs(G(!))
S2 (!) = eir2 abs(G(!))
where r1 2R 0 2)
where r2 = r1 + 2 arccos(abs(M!0 )=abs(G! )) modulo 2:
then we have the secrecy condition. Moreover, the amplitude of m(t), the sum of the
shares, is twice the amplitude of m0(t).
Proof
Clearly r1 2R 0 2), hence it is uniformly random2 and independent of m0(t). Also
r2 ; r1 = 2 arccos(abs(M 0 (!)=G(!))) mod 2
One can choose an element with uniform probability in the interval 0 2). Note that we actually
choose r1 as a uniform random (modulo l) multiple of 2=l, where l is an integer.
2
27
is independent of r1, therefore:
r2 = r1 + 2 arccos(abs(M 0 (!)=G(!))) mod 2
is also uniformly random and independent of m(t), as follows from a generalization
of 34]
Consequently, S1 (!) and S2 (!) are independent of m(t), and so are their inverse
Fourier transform s1(t) and s2 (t).
Now using elementary trigonometry, we obtain M (!) = S1 (!)+S(!) = 2ei(r1 +r2)=2 cos((r2 ;r1 )=2)abs(G(!)) = 2ei(r1 +r2)=2 abs(M 0 (!)=G(!))abs(G(!)) = ei(r1 +r2 )=2 2 abs(M 0 (!)).
2
3.4.3 Phase ipping scheme
In this scheme, we use small DFT window so that the amplitude information becomes
the dominant one.
Since analog signals do not add up modulo 2, as one can do in the one time pad,
we had the feeling that such a modulo approach may create a hard to understand
decryption (see Sections 3.4.1 and 3.5 for a discussion on this topic). The idea was to
work modulo jG(!)j, where G(!) was chosen above, but when a reduction would be
needed we replaced the output by zero. That means, we rst choose S1(!) with random phase (modulo 2), and random amplitude (modulo jG(!)j). S2(!) is then the
dierence of M (!) and S1(!) (modulo jG(!)). When a reduction modulo jG(!) occurs, i.e. when M (!) ; S1(!) is either greater than jG(!) or smaller than ;jG(!), we
set S2(!) to ;S1 (!). This makes the reconstructed M (!) understandable. However,
this scheme turned out not to guarantee perfect secrecy. The following modication
of this idea, explained in the next theorem, however, maintains the security.
28
Theorem 3 Assuming that m0(t) and g(t) is the message and lter signal respectively. Let r1 and r2 be chosen from the following ranges:
r1 2R 0 2)
r2 2R ;abs(G(!)) abs(G(!))]3
Then the signals S1 (!) and S2 (! ), determined by the following formulas:
M? (!)
S01 (!)
S002 (!)
S02 (!)
S1 (!)
S2 (!)
2R fabs(M0(!))g
=
=
=
=
=
r2
M? ; r2
if (abs(S002 (!)) G) then S002 (!) else ; S01 (!)
eir S01 (!)
eir S02 (!)
1
1
satisfy the secrecy condition, . Moreover, the amplitude of M(!), the sum of the
shares, is the amplitude of M0 (! ) or zero.
Proof
For short notations, we drop the variable ! and use the capital letters C G Si Si0 M
M 0 S200 only. We also let (x) be a real function over the complexes, which equals
1 when abs(x) G, and 0 otherwise. We need to prove that each of S1 and S2 is
independent of M . We do this by rst showing that S01 and S02 are independent of M .
Then, because r1 is independent of anything else, it will be straightforward to obtain
that S1 and S2 are independent of M .
Now S01 := r2 is chosen randomly, independent of anything else, so it is independent of M . For each real value v 2 ;G G] and each complex value 2 C ,
29
abs() G, we then compute:
P S02 = v k M = ] = P S02 = v k M? 2R fabs()g M = ]
= P S02 = v abs(S002 ) G k M? 2R fabs()g M = ]+
P S02 = v abs(S002 ) > G k M? 2R fabs()g M = ]
= P S002 = +v abs(S002 ) G k M? 2R fabs()g M = ]+
P S01 = ;v abs(S002 ) > G k M? 2R fabs()g M = ]
= P S002 = +v k M? 2R fabs()g M = ]+
P S01 = ;v abs(S002 ) > G k M? 2R fabs()g M = ]
= P M? ; r2 = +v k M? 2R fabs()g M = ]+
P r2 = ;v jM? ; r2j > G k M? 2R fabs()g M = ]
= P abs() ; r2 = +v]+
P r2 = ;v j abs() ; r2j > G]:
But we have:
P abs() ; r2 = +v] = P r2 = abs() ; v]
= (
(abs() ; v) + (;abs() ; v))=2G
and also:
P r2 = ;v j abs() ; r2 j > G] = P j abs() ; r2 j > G k r2 = ;v]P r2 = ;v]
= P j abs() + vj > G k r2 = ;v]=2G
= P jabs() + vj > G]=2G+
P j ; abs() + vj > G]=2G
= (2 ; (abs() + v) ; (;abs() + v))=2G
so:
P S02 = v k M = ] = P abs() ; r2 = +v]+
P r2 = ;v j abs() ; r2 j > G]
= (
(abs() ; v) + (;abs() ; v))=2G+
(2 ; (abs() + v) ; (;abs() + v))=2G
= 1=G
30
which is independent of . Hence S02 is independent of M . And so is S1 and S2 .
Note that if M (!) is simply replaced by jM (!)j in the theorem, then the scheme is
insecure.
2
3.5 Discussion
We did several tests using a TEAC Model 2 mixer and an Apollo amplier, which are
both analog devices. The mixer has four input lines but we needed only two of them.
The dynamic range of the amplier is about 40dB. The cover signal is a piece of music
from Beethoven's For Elise, and input signal is a speech by President Clinton. Both
were sampled at 11025 Hz.
All three methods were very well at playing back each of the shares. They are
very clean of noises and we almost can not distinguish them from the original music.
The following results were obtained when decrypting the ciphertext by playing
each pair of the shares together, using the mixer and the amplier. For the phase
shifting and phase ipping methods, the speech was clearly understandable. We were
not only able to understand the text but also to recognize whose voice it was and
the tone of the speaker. For the modulo amplier method, with a linear amplier we
clearly heard some clicks. These clicks made it harder to recognize the speech, hence
we had a trade-o between the number of clicks and their amplitudes. With a mixer
and a nonlinear amplier, however we can overcome this problem. With a little of
training, one can easily recognize the voice of the embedded signal. We attached a
CD-ROM containing the cover and embedded signals, as well as the resulting modied
signals produced by the hiding algorithm.
A problem one faced when playing both the shares at the same time is synchronization. We nd that available analog techniques 12] allow one to start playing two
audio streams at almost identical times, with timing errors of about 0:3s, much less
31
than we need, i.e. of about 10s. A notable point is that these techniques are widely
available not only in the market, but also at homes.
32
Chapter 4
Covert visual cryptography
This chapter is devoted to building covert channels in pictures and real images. In
Section 1, we give an abstract covert model of our scheme. We then introduce a new
technique of forming image on transparencies, namely with an usage of the Moire
eect. This technique is then used in in Section 3 to recover embedded picture from
a pair of shares (transparencies). In Section 4, we relate our work in covert visual
cryptography to the pioneering work of Naor and Samir in visual cryptography.
4.1 Covert model
We illustrate the model of covert visual cryptography in gure 10. In the gure, the
character R stands for the operation of randomizing embedded picture into two random pre-shares, each of which is independent of the embedded picture. Further more,
their combination (with an exclusive-or operation) is the embedded picture. This is
one-time-pad technique. It can be done by choosing the rst pre-share uniformly
random. The second pre-share is then embedded picture xor the rst pre-share.
The character H in the picture stands for the hiding algorithm. It takes two
arguments, a real (cover) picture and a random monochrome pattern (these patterns
are the pre-shares in our scheme). Algorithm H then formats the normal input picture
accordingly to the pattern. It copies each dot in the the original (cover) picture into
33
Figure 10: Abstract model of covert visual cryptography
34
Figure 11: Modied elliptical dots used in hiding
the resulting picture and draws them in an elliptical shape. If the corresponding
point at the same location in the pattern is black, then the ellipse is rotated 45o,
i.e. pointing northwest, otherwise it is rotated 135o, i.e. pointing southwest. These
rotated ellipses are shown on gure 11. One on the left corresponds to a black dot,
while one on the right corresponds to a white dot, on the pattern.
The resulted (share) pictures now look identical to the original (cover) picture
because each point in the cover picture is copied to the same location and with the
same area in the resulted (share) pictures. The only dierence is that the dots are
not discs but ellipses. So only the high frequency were modied, leaving the lower
frequencies unchanged. When the sampling frequency is high enough, this dierence
is invisible to the human eyes.
To recover the embedded picture, the shares are combined together by superimposing one onto another. This is denoted as the operation in gure 10. In the next
section, we will study how these rotated dots form the embedded picture in the Moire
eect.
4.2 Technique
If we denote 0 and 1 for the black dots and white dots respectively, then the combination of two transparencies is a multiplicative dot-wise operation. This is not a group
operation on the binary set f0 1g, therefore we cannot use it directly to produce
35
perfectly secure visual shares. In visual cryptography, this problem is overcome by
encoding 0 and 1 as random matrices of black and white points, thus makes the share
randomly looking.
In this thesis, we propose other construction employing the Moire eect. To encode
a bit 0 or 1, one uses dierent Moire patterns. As we noted earlier (in Chapter 2),
one can produce dierent Moire patterns with dierent angles of rotation, i.e. relative
angle between the transparencies.
More concretely, we encode a bit 1 (in the recovering phase) as a combination of
two small squares, whose dots are rotated by two respective dierent angles. Similarly,
to encode a bit 0, we use two squares with dots rotated by same angle. Hence in the
resulting combination of the two shares, the embedded picture appears as a picture
with one Moire pattern for black areas and another Moire pattern for white areas.
So in this technique, it is the Moire pattern that form the embedded picture! while
in visual cryptography of Naor and Samir, it is the average gray levels of the squares
that form the embedded picture. It has certain advantages that will be discussed in
section 4.4.
We now give gure 12, in order to illustrate the decoding operation.
4.3 Moire scheme
4.3.1 Encryption
Theorem 4 Let C and M be the cover and embedded pictures, respectively. Then
the shares S1 and S2 determined by the algorithm:
1. Choose q 2R f0 1gnn.
2. Obtain S1 by rotating the dots of C accordingly to pattern V(q).
3. Obtain S2 by rotating the dots of C accordingly to pattern V(q xor E ) .
satisfy the following conditions:
36
Figure 12: Illustration of decoding operation
i. Perfect secrecy: S1 and S2 are independent of M .
ii. Visual hiding: S1 S2 C .
iii. Moire decryption: M Moire (S1 S2).
4.3.2 Decryption
The decryption process is particularly simple. We stack the two shares onto each
other to create Moire patterns.
When Mij = 0, the dots of S1 and S2 inside the square (i j ) are rotated with the
angle, i.e. their combination is either LL or RR, where L stands for a 45o rotated
ellipse and R stands a 135o rotated ellipse. This gives a Moire pattern of one type.
When Mij = 1, the dots of S1 and S2 inside the square (i j ) are rotated with two
dierent angles, so their combination is either LR or RL. This gives a Moire pattern
of another type, whose texture is dierent from that of the previous one.
The embedded picture M is now visible in the Moire pattern. The black areas
of M corresponds to texture of one type, while the white areas of M corresponds to
37
texture of another type. The two types of textures are visually dierent so one is able
to visually recognize M .
4.3.3 Secrecy
Theorem 5 The shares Si produced by the algorithm given in section 4.3.1 are probabilistically independent of the original picture M .
This automatically follows from that of the one-time-pad scheme 34] so we need
not to include a proof in here.
4.4 Results and comparison
We give here a sample input and output of our algorithm. Input to the algorithm is
a picture of Barbara (gure 13) as the cover picture, and a picture of the character T
(gure 14) as the embedded picture. The produced rst and second shares are given in
gures 15 and 16, respectively. Combination of these two shares using transparencies
reproduces the character T.
We now compare our work to previous work of Naor and Shamir's on visual
cryptography 28]. In their scheme, one xes two transparencies onto each other
exactly so that the dots will add up correctly. In our scheme, Moire pattern is more
stable with respect to rotation and translation. So even if the transparencies are
slightly misplaced or rotated, Moire pattern still occurs, i.e. the embedded picture
is still visible. In fact, experiments have demonstrated that when one transparency is
moving relatively to the other, then the embedded picture becomes more clear. Thus
we have improved robustness against errors in the decryption operation. We should
also stretch that the shares in our scheme are real pictures, not randomly looking
ones like in 28].
38
Figure 13: Cover picture of Barbara
Figure 14: Embedded picture of character T
39
Figure 15: First share of character T
40
Figure 16: Second share of character T
41
The running time of the algorithm is linear in the total size of the input pictures.
In practice, the time consuming stage seems to be the printing one.
42
Chapter 5
Summary
5.1 Conclusions
Steganography is an ancient art of secret writing, which hides information into other
forms of communication. With the introduction of computers, more complicated
algorithms became practical. They can oer many more good properties than the
original techniques can do, for example proven secrecy. In this work, we have shown
that one can achieve perfect secrecy together with a simple decryption, such as the
usage of an audio mixer, or a slide projector. Further, the embedded information is
human voice or real picture, thus makes it more attractive to use.
5.2 Open problems
Three aspects have been addressed in this work: information hiding, secrecy, and
simplicity of decryption. It thus opens the following questions: can we use the developed techniques in here for purposes other than encryption, such as authentication,
e.g. digital watermarking? Another direction which is also worth of further investigation is to give a general abstract hiding model that also address statistical and
computational undetectability of the hiding operation. In the context of digital watermarking, the question is how these techniques resist removal operations! and how
43
one can improve their resistance against such operations.
44
Bibliography
1] R. J. Anderson and F. Petitcolas, On the limites of steganography, IEEE
Journal on Special Areas in Communication, 16 (1998), pp. 463{473.
2] D. Aucsmith, ed., Second International Workshop on Information Hiding, 14{
17 April, 1998, Portland, Oregon, USA, vol. 1525 of Lecture Notes in Computer
Science, Berlin, Germany / Heidelberg, Germany / London, UK / etc., 1998,
Springer-Verlag.
3] W. Bender, D. Gruhl, N. Morimoto, and A. Lu, Techniques for data
hiding, IBM Systems Journal, 35 (1996), pp. 313{336.
4] E. Biham, Lecture notes. Note, September 21-26 1997.
5] G. R. Blakley, Safeguarding cryptographic keys, in 1979 National Computer
Conference: June 4{7, 1979, New York, New York, R. E. Merwin, J. T. Zanca,
and M. Smith, eds., vol. 48 of AFIPS Conference proceedings, Montvale, NJ,
USA, 1979, AFIPS Press, pp. 313{317.
6] G. R. Blakley and L. Swanson, Innite structures in information theory, in
Advances in Cryptology: Proceedings of Crypto 82, D. Chaum, R. L. Rivest, and
A. T. Sherman, eds., Plenum Press, New York and London, 1983, 23{25 Aug.
1982, pp. 39{50.
7] D. Boneh and J. Shaw, Collusion-secure ngerprinting for digital data, in
Advances in cryptology, CRYPTO '95: 15th Annual International Cryptology
45
Conference, Santa Barbara, California, USA, August 27{31, 1995: proceedings,
D. Coppersmith, ed., vol. 963 of Lecture Notes in Computer Science, Berlin,
Germany / Heidelberg, Germany / London, UK / etc., 1995, Springer-Verlag,
pp. 452{465.
8] G. E. Carlson, Signal and linear system analysis, John Wiley & Sons, New
York, second ed., 1998.
9] M. T. Chapman, Hiding the hidden : a software system for concealing ciphertext
as innocuous text, Master's thesis, University of Wisconsin-Milwaukee, 1997.
10] D. Chaum, The dining cryptographers problem: Unconditional sender and recipient untraceability, Journal of Cryptology: the journal of the International
Association for Cryptologic Research, 1 (1988), pp. 65{75.
11] J. W. Cooley and J. W. Tukey, An algorithm for the machine calculation
of complex Fourier series, Mathematics of Computation, 19 (1965), pp. 297{301.
12] E. D. Daniel, C. D. Mee, and M. H. Clark., Magnetic Recording, IEEE
Press, New York, 1999, ch. Timing errors between tracks.
13] Y. Desmedt, S. Hou, and J.-J. Quisquater, Audio and noise-canceling
cryptography, in Rump session of the second Information Hiding Workshop, Lecture Notes in Computer Science, Portland, Oregon, April 15{17 1998, SpringerVerlag.
14]
, Cerebral cryptography, in Proceedings of the second Information Hiding
Workshop, Lecture Notes in Computer Science, Portland, Oregon, April 15{17
1998, Springer-Verlag.
46
15] Y. G. Desmedt, Subliminal-free authentication and signature, in Proceedings
of the Workshop on Theory and Application of Cryptographic Techniques, C. G.
G$unther, ed., vol. 330 of LNCS, Berlin, May 1988, Springer, pp. 23{34.
16]
, Establishing Big Brother using covert channels and other covert techniques,
in Information hiding: rst international workshop, Cambridge, U.K., May 30{
June 1, 1996: proceedings, R. Anderson, ed., vol. 1174 of Lecture Notes in
Computer Science, Berlin, Germany / Heidelberg, Germany / London, UK /
etc., 1996, Springer-Verlag, pp. 65{71.
17] W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, IT-22 (1976), pp. 644{654.
18] A. L. Donaldson, J. McHugh, and K. A. Nyberg, Covert channels in
trusted LAN's, in Proceedings of the 11th National Computer Security Conference, 1988.
19] T. E. Gamal, A public key cryptosystem and a signature scheme based on
discrete logarithms, in Proc. CRYPTO 84, G. R. Blakley and D. C. Chaum,
eds., Springer, 1985, pp. 10{18. Lecture Notes in Computer Science No. 196.
20] D. M. Howard and J. Angus, Acoustics and psychoacoustics, Focal Press,
Oxford, 1996.
21] B. Jahne, Digital Image Processing: Concepts, Algorithms, and Scientic Applications, Springer-Verlag, Berlin, Heidenberg, third ed., 1998.
22] D. Kahn, The codebreakers: the story of secret writing, MacMillan Publishing
Company, New York, NY, USA, 1967.
23] J. Markoff, Microsoft to alter software in response to privacy concerns, The
New York Times, (1999).
47
24] N. Maxemchuk, Electronic document distribution, AT&T Technical Journal,
73 (1994), pp. 73{80.
25] J. McHugh, Handbook for the computer security certication of trusted systems, Center for High Assurance Computing Systems, Naval Research Laboratory, Washington, DC, November 1994, ch. Covert Channel Analysis.
26] N. McKay, Spying on spies, Wired News, (1999). Wired Digital Inc.
27] R. C. Merkle, Secure communications over insecure channels, Communications of the Association for Computing Machinery, 21 (1978), pp. 294{299.
28] M. Naor and A. Shamir, Visual cryptography, in Advances in cryptology |
EUROCRYPT '94: Workshop on the Theory and Application of Cryptographic
Techniques, Perugia, Italy, May 9{12, 1994: proceedings, A. De Santis, ed.,
vol. 950 of Lecture Notes in Computer Science, Berlin, Germany / Heidelberg,
Germany / London, UK / etc., 1994, Springer-Verlag, pp. 1{12.
29] National Bureau of Standards, Data Encryption Standard, U. S. Department of Commerce, Washington, DC, USA, Jan. 1977.
30] National Institute of Standards and Technology, Advanced Encryption Standard (AES) Development Eort, National Institute for Standards and
Technology, Gaithersburg, MD, USA, 1998.
31] F. A. P. Petitcolas, R. J. Anderson, and M. G. Kuhn, Attacks on
copyright marking systems, in Second International Workshop on Information
Hiding, 14{17 April, 1998, Portland, Oregon, USA, D. Aucsmith, ed., vol. 1525
of Lecture Notes in Computer Science, Berlin, Germany / Heidelberg, Germany /
London, UK / etc., 1998, Springer-Verlag, pp. 219{239.
48
32] R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital
signatures and public-key cryptosystems, ACM, 2 (1978).
33] A. Shamir, How to share a secret, Communications of the Association for Computing Machinery, 22 (1979), pp. 612{613.
34] C. E. Shannon, Communication theory of secrecy systems, Bell System Technical Journal, 28 (1949).
35] G. J. Simmons, The prisoners' problem and the subliminal channel, in Advances in Cryptology: Proceedings of CRYPTO '83 (1983: University of California, Santa Barbara), D. Chaum, ed., New York, NY, USA! London, UK, 1983,
Plenum Press, pp. 51{67.
36] S. W. Smith, The scientist and engineer's guide to digital signal processing,
California Technical Publishing, San Diego, CA 92150-2407, 1997.
37] D. R. Stinson, Introductory page on visual cryptography. University of Waterloo, July 1998.
38] G. S. Vernam, Cipher printing telegraph systems for secret wire and radio
telegraphic communications, J. Am. Inst. Elec. Eng., 55 (1926), pp. 109{115.
39] P. Wayner, Disappearing Cryptography: Being and Nothingness on the Net,
AP Professional, Boston, MA, USA, 1996.
40] Young and Yung, Kleptography: Using cryptography against cryptography, in
EUROCRYPT: Advances in Cryptology: Proceedings of EUROCRYPT, 1997.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz