Upper and Lower Bounds on Black-Box Steganography

Upp er and Lo w er Bounds on Blac k -Bo x Stega nograph y ∗ Nenad Dedi ´ c Gene Itkis Leonid Reyzin Scott Russell Boston Univ ersit y Departmen t of Computer Science 111 Cummington Street Boston, MA 02215 { nena d,itkis, reyzin,srussell } @cs.bu.edu Marc h 31, 2008 Abstract W e study the limitations of stegano graphy when the sender is not using any prop erties of the underlying channel b eyond its en tropy and the ability t o sample from it. On the negative side, we show that the n umber of samples the sender m ust obtain from the channel is exp onen tial in the rate of the stegosys tem. On the p ositive side, w e pre s en t the ﬁrst secret-key stegosystem that essentially matches this low er bound r e g ardless of the entrop y of the underlying chan- nel. F urthermore, for high-ent ropy channels, we present the ﬁr st secret-key stego system that matches this lo w er bound statelessly (i.e., witho ut r equiring sync hronized state betw een sender and receiver). Keyw ords. stega nography , co vert co mm unica tion, r e jection sa mpling, low er b ound, pseudo- randomnness, information hiding, h uge random ob jects. 1 In tro d uction Steganograph y’s goal is to concea l the presence of a secret m essage within an inn o cuous-lo oking comm u nicatio n. In other w ords, steganograph y consists of hiding a secret hiddentext message within a p ublic c overtext to obtain a ste gotext in such a wa y that an unauthorized ob s erv er is un ab le to distinguish b et w een a co vertext with a h idden text and one without . The ﬁrst rigorous complexit y-theoretic form u latio n of secret-k ey steganograph y wa s provided by Hopp er, La ngford and vo n Ahn [11]. In this formulation, ste gano gr aphic se cr e c y of a stegosystem is deﬁned as the in abilit y of a p olynomial-time adv ersary to distinguish b et ween observ ed distribu tions of u naltered co v ertexts and stegotext s. (This is in con trast with many previous works, whic h tend ed to b e in f ormation-theo retic in p ersp ectiv e; see, e.g., [4] and other references in [11, 4].) 1.1 Mo del In steganog raphy , the v ery presence of a message m u st be hidden from the adv ersary , who m ust b e giv en no r eason for susp ecting that an ythin g is unusual. This is the main d iﬀerence from encryption, ∗ Preliminary v ersion appears in TCC 20 05 [5]. 1 whic h do es not prev ent th e adv ersary from susp ecting that a secret message is b eing se nt, but only from d ecoding the message. T o f ormalize “unusual,” some notion of u sual comm unication m ust exist. W e adopt the model of [11] with minor changes. In it, sender sends data to r e c eive r . The usual (nonsteganographic) comm u nicatio n comes from th e channel , whic h is a distribution of p ossible do c u ments sent from sender to receiv er based on past comm u nicatio n. The c hann el m odels the sender’s decision pro cess ab out wh at to sa y next in ordinary comm unication; thus, th e s ender is giv en access to the c hannel via a sampling or acle th at tak es the p ast communicatio n as in p ut and returns the n ext d o cument fr om the app ropriate probabilit y distrib ution. Send er and receiv er share a secret k ey (public-ke y steganograph y is addressed in [18, 1]). The adversary is assumed to also ha v e some in f ormation ab out the usual comm unication, and th us ab out th e channel. It listens to the comm unication an d tries to distinguish the case where the sender and receiv er are just ca rrying on the usual con v ersation (equiv alen tly , sender is honestly sampling from th e oracle) from the case where the send er is transmitting a hiddente xt message m ∈ { 0 , 1 } ∗ (the message ma y ev en b e chosen b y the adve rsary). A stegosystem is secure if the adv ersary’s susp icion is not aroused—i.e., if the tw o cases cannot b e distinguish ed. 1.2 Desirable Characteristics of a Stegosystem Blac k-Box. In order to obtain a stegosystem of br oad applicabilit y , one w ould like to mak e as few assumptions as p ossible ab out the und erstanding of the underlyin g channel. As Hopp er et al. [11] p oin t out, the c h annel ma y b e very complex and not easily d escrib ed. F or example, if th e parties are u sing p hotographs of cit y scenes as co v ertexts, it is rea sonable to assum e that the send er can obtain such ph otographs, but unr easonable to exp ect the sender an d the r ecei v er to kno w a p olynomial-time algorithm that can construct su c h photographs from un if orm ly distributed rand om strings. W e therefore concentrat e on black-b ox steganograph y , in w hic h the kno wledge ab out th e c h annel is limited to the sender’s ability to query the sampling oracle and a boun d on the c hann el’s min-en trop y a v ailable to sender and receiv er. In p articular, the receiv er is not assumed to b e able to sample from the c hannel. The adversary , of course, ma y know more ab out the c h annel. Eﬃcien t (in terms of running time, n umber of samples, rate, reliability). The ru nning times of sender’s and receiv er’s algorithms should b e minimized. Aﬀairs are slight ly complicated b y the s en der’s algorithm, whic h inv olv es tw o kinds of fundamentally diﬀeren t op erations: c ompu- tation , and channel sampling . Bec ause obtaining a c h annel samp le could conceiv ably b e of m uc h higher cost than p erformin g a computation step, the t wo should b e s eparately accoun ted for. T r ansmission r ate of a stegosystem is the num b er of hiddentext bits t ransmitted p er single ste- gotext do cumen t sen t. T ransmission rate is tied to r eliability , w hic h is the pr obabilit y of successfu l deco ding of an en co ded message (and unr eliability , whic h is one minus reliabilit y). The goal is to construct stegosystems that are reliable and transmit at a h igh rate (it is easier to tran s mit at a high rate if reliabilit y is low and so the r eceiv er will not un derstand m uc h of wh at is transmitted). Ev en if a stegosystem is b lack- b o x, its eﬃciency ma y d ep en d on the c hannel distr ibution. W e will b e interested in the d ep endence on the channel min-entrop y h . Ideally , a stegosystem w ould w ork w ell ev en for lo w-min-entrop y c hannels. Secure. Inse curity is deﬁned as the adve rsary’s adv antag e in distinguishing stegotext from r egular c h annel comm unication (and se curity as one minus insecurit y). Note that securit y , lik e eﬃciency , 2 ma y dep end o n t he c hann el min-entrop y . W e are intereste d in ste gosystems with insecur it y as close to 0 as p ossible, ideally ev en for lo w -min-en tropy c hannels. Stateless. It is desirable to construct stateless stegosystems, s o that the s en der and th e receiv er need not ma int ain sync hronized state in o rder to comm u nicate long messages. Indeed, the n eed fo r sync hrony ma y presen t a particular problem in steganograph y in case message s b et we en sender and receiv er are d ropp ed or arriv e out of ord er. Unlike in counter-mode sym m etric encryption, w h ere the counter v alue can b e sen t along with the ciphertext in the clear, here this is not p ossible: the coun ter itself w ould also ha v e to b e steganographically enco ded to av oid detection, w hic h brings us bac k to the original problem of steganographically enco ding multibit messages. 1.3 Our Con tributions W e study the optimal eﬃciency achiev able by blac k-b o x steganograph y , and p resen t secret-k ey stegosystems that are nearly optimal. Sp eciﬁcally , we d emonstrate the follo wing resu lts: • A lo wer b ound, which states that a secure and reliable blac k-b o x stegosystem with rate of w bits p er do cu men t sent r equires th e enco der to tak e at lea st c 2 w samples from the c hann el p er w bits sen t, for some constan t c . Th e v alue of c dep end s on securit y and reliabilit y , and tends to 1 / (2 e ) as securit y and reliabilit y app roac h 1. Th is l o w er b oun d app lies to secret -k ey as w ell as pub lic-k ey stegosystems. • A stateful blac k-b o x secret-k ey stegosystem ST F that transmits w bits p er do cumen t sent, tak es 2 w samples p er w bits, and has u nreliabilit y of 2 − h + w p er d ocument (recall that h is the c hannel en trop y) and n eglig ible insecurity , w h ic h is indep end en t of the channel. (A ve ry similar construction was indep en den tly disco v er ed by Hopp er [12, Construction 6.10].) • A stateless b lac k-b o x secret-k ey stegosystem STL that transm its w bits p er do cument sent, tak es 2 w samples p er w bits, and has u n reliabilit y 2 − Θ(2 h ) and insecurit y n egli gibly close to l 2 2 − h +2 w for lw bits sent. Note that for b oth stegosystems, the rate vs. n umber of samples tradeoﬀ is very close to the lo wer b ound—in fact, for c hannels with suﬃcient entrop y , the optimal rate allo w ed by the lo we r b ound and the ac hiev ed rate diﬀer by log 2 2 e < 2 . 5 b its (and s ome of that seems d u e to slac k in the b ound). Th us, our b ound is quite tight, and our ste gosystems quite eﬃcient. T he pro of of the lo wer b ound in v olves a sur p rising application of the huge r andom ob jects of [8], sp eciﬁcally of th e tru thful implemen tation of a b oolean fun ction w ith in terv al-sum queries. The lo wer b ound demonstrates that signiﬁcan t impro v emen ts in stegosystem p er f ormance m ust come from assum ptions ab out the c h annel. The stateless stegosystem STL can b e used w h enev er th e underlying channel distribu tion has suﬃcien t min -en tropy h for the insecurit y l 2 2 − h +2 w to b e acceptably lo w. It is extremely simple, requiring just ev aluations of a pseudorandom f u nction f or enco ding and deco ding, and v ery r eliable. If the u nderlying c h annel do es not hav e su ﬃcien t m in-en tropy , then the stateful s tegosystem STF can b e used, b ecause its insecurity is indep endent of the channel. While it requir es shared sync hronized state b etw een send er and r ece iv er, the state information is only a counte r of the n umber of d o cuments sent so far. If min-entrop y of the c hannel is so lo w that unreliabilit y of 2 − h + w p er document is too high for th e app licat ion, reliabilit y of this stegosystem can b e imp r o ve d through the u se of error-correcting cod es ov er the 2 w -ary alph ab et (applied to the hiddente xt 3 b efore stegoenco ding), b ecause failure to deco de correctly is in dep enden t f or eac h w -bit blo c k. Error-correcting co des can increase reliabilit y to b e negligibly close to 1 at the exp ense of reducing the asymp totic r ate from w to w − ( h + 2)2 − h + w . Finally , of course, the min-en tropy of an y c hann el can b e improv ed from h to n h by vie wing n consecutiv e samples as a single dra w from the c hannel; if h is extremely small to b egin with, this will b e m ore eﬃcient than us in g error-correcting cod es (this impr o ve ment requir es b oth parties to b e synchronized mo dulo n , whic h is not a problem in the stateful case). This stateful stegosystem STF also admits a few v arian ts. First, the logarithmic amount of shared s tate can b e eliminated at the exp ense of adding a linear amount of pr iv ate state to the sender and reducing reliabilit y sligh tly (as f urther describ ed in 4.1), th u s remo ving the need for sync hronization b et ween the send er and the receiv er. Second, un der additional assump tions about the channel (e.g., if eac h do cumen t includ es time sen t, or has a sequence num b er), STF can b e made complete ly stateless. The remarks of this paragraph and the previous one can b e equally applied to [12, Construction 6.10]. 1.4 Related W ork The bibliograph y on the sub ject of steganograph y is extensive; we do not review it all here, b ut rather recommend references in [11]. Constructions. In add ition to introducing the complexit y-theoretic mo del for steganog raphy , [11] prop osed t wo constructions of blac k-b o x 1 secret-k ey stegosystems, called Construction 1 and Construction 2. Construction 1 is stateful and , lik e our stateful construction S TF, b oasts negligible insecurit y regardless of the c h annel. How ev er, it can tran s mit only 1 bit p er do cumen t, and its reliabilit y is limited b y 1 / 2 + 1 / 4(1 − 2 − h ) p er do cu men t sen t, wh ic h means that, regardless of the c hann el, eac h hiddentext bit has pr obabilit y at least 1 / 4 of arriving incorrectly (thus, to achiev e high reliabilit y , error-correcting co des with expan s ion factor of at least 1 / (1 − H 2 (1 / 4)) ≈ 5 are needed). I n con trast, STF h as reliabilit y that is exp onent ially (in the min-ent ropy) close to 1, and thus wo rks w ell for an y c hannel with suﬃcien t ent ropy . F urthermore, it can transmit at rate w f or an y w < h , pro vided that the enco der has suﬃcient time for the 2 w samples required . It can b e seen as a generalization of Construction 1. Construction 2 of [11] is stateless. Lik e the security of our statele ss construction STL, its securit y dep ends on the min-en tropy of the underlying c hannel. While no exa ct analysis is provi ded in [11], the in securit y of C onstruction 2 seems to b e roughly √ l 2 ( − h + w ) / 2 (due to the fact that the adversary sees l samples either from C or from a kn o wn distribution with bias r oughly 2 ( − h + w ) / 2 caused by a p ublic extractor; see App endix A ), whic h is higher than the insecurit y of STL (unless l and w are so high that h < 3 w + 3 log l , in whic h case b oth constructions are essentia lly insecure, b ecause insecurit y is higher than the in verse of the encoder’s runnin g time l 2 w ). Reliabilit y of Construction 2, w h ile not analyzed in [11], seems close to the reliabilit y of STL. Th e r ate of Construction 2 is lo wer (if other parameters are k ept th e same), du e to the n eed for randomized encryption of the hiddentext , which necessarily expand s th e num b er of bits sent. It is imp ortan t to note that the nov elt y of STL is not the constru ction itself, but rather its analysis. Sp eciﬁcally , its stateful v ariant app eared as Constru ctio n 1 in the Extended Abstract of 1 Construction 2, whic h , strictly sp eaking, is n ot presen ted as a blac k-b ox construction in [11], can b e made blac k-b ox t h rough the use of extractors (suc h as universal h ash functions) in place o f unbiased functions, as shown in [ 18]. 4 [11], but the analysis of the Extended Abstract w as later found to b e ﬂaw ed by [13]. Thus, the full v ersion of [11] included a diﬀerent Construction 1. W e simp ly reviv e this old constru ctio n, mak e it stateless, generalize it to w bits p er do cument, and, most imp ortan tly , pr o vide a new analysis for it. In addition to the tw o constru ctions of [11] describ ed ab o ve, and indep end ently of our w ork, Hop- p er [12] p rop osed t wo more constructions: Constructions 6.10 ( MultiBlock ) and 3.15 ( NoState ). As already mentioned, MultiBloc k is essen tially the same as our STF. NoState is an in teresting v ariation of Construction 1 of [11] that addr esses the problem of main taining s h ared state at the exp ense of lo we ring the rate ev en fu r ther. Bounds on the Rate and Eﬃciency . Hopp er in [12, Section 6.2] establishes a b ound on th e rate vs. eﬃciency tr adeoﬀ. Th ou gh quantita tiv ely similar to ours (in fact, tigh ter by the constan t of 2 e ), this b ound applies only to a restricted class of blac k-b o x stegosystems: essen tially , ste gosystems that en co de and deco de one blo c k at a time and sample a ﬁ x ed num b er of do cumen ts p er block. The b ound presente d in th is p ap er app lies to any b lack- b o x stegosystem, as long as it w orks for a certain reasonable class of c hannels, and thus can b e seen as a generalization of the b oun d of [12]. Our pro of tec hniqu es are quite diﬀerent th an t hose of [12], and we hop e they ma y b e of indep endent in terest. W e refer the reader to Section 3.4 for an elab oration. Finally it should b e noted that non-blac k-b o x stegosystems can b e muc h more eﬃcien t—see [11, 18, 14, 15]. 2 Deﬁnitions 2.1 Steganograph y The deﬁnitions here are essentia lly those of [11]. W e mod ify them in th r ee wa ys. First, w e vie w the c h annel as pro ducing docum ents ( symbols in some, p ossib ly very large, alphab et) rather than bits. This simpliﬁes notation and m ak es min-en trop y of th e channel more explicit. Second, we consider stegosystem reliabilit y as a p arameter rather than a ﬁxed v alue. Third, we make the length of the adv ersary’s description (and the adversary’s dep end ence on the c hannel) explicit in the d eﬁnition. The Channel. Let Σ b e an alphab et; we call the elemen ts of Σ do cuments . A channel C is a map that take s a history H ∈ Σ ∗ as in p ut and prod uces a p robabilit y distribution D H ∈ Σ. A history H = s 1 s 2 ...s n is le gal if eac h subsequen t sym b ol is obtainable giv en the previ- ous ones, i.e., P r D s 1 s 2 ...s i − 1 [ s i ] > 0. Min-en trop y of a distribution D is deﬁned as H ∞ ( D ) = min s ∈ D {− log 2 Pr D [ s ] } . Min-en tropy of C is the min H H ∞ ( D H ), where the minimum is tak en o v er legal histories H . Our stegosystems w ill mak e u s e of a c hannel sampling oracle M , whic h, on inp ut H , outputs a sym b ol s according to D H . A stegosystem ma y b e designed for a p articular Σ and min-ent ropy of C . Deﬁnition 1. A black-b ox se cr et-key ste gosystem for the alphab et Σ is a pair of probabilistic p olynomial time algorithms ST = ( SE , SD ) suc h that, for a security parameter κ , 1. SE h as access to a c hannel sampling oracle M f or a c hann el C on Σ and tak es as input a randomly chosen k ey K ∈ { 0 , 1 } κ , a string m ∈ { 0 , 1 } ∗ (called the hiddentext ), and th e c h annel history H . It r etur ns a string of symb ols s 1 s 2 . . . s l ∈ Σ ∗ (called the ste gotext ) 5 2. SD tak es as inpu t a key K ∈ { 0 , 1 } κ , a s tegotext s 1 s 2 . . . s l ∈ Σ ∗ , and a c hannel history H and returns a hidd en text m ∈ { 0 , 1 } ∗ . W e fu rther assume that the length l of the stegotext output by SE dep ends only on the length of hiddentext m but not on its con ten ts. Stegosystem Reliability . T he r eliability of a stegosystem ST with securit y parameter κ for a c h annel C and messages of length µ is deﬁned as Rel ST ( κ ) , C ,µ = min m ∈{ 0 , 1 } µ , H { Pr K ∈{ 0 , 1 } κ [ SD ( K, S E M ( K, m, H ) , H ) = m ] } . Unreliabilit y is deﬁned as UnRel ST ( κ ) , C ,µ = 1 − Rel ST ( κ ) , C ,µ . The Adv ersary . W e consider only passive adv ersaries who mount a c hosen hidden text a ttac k on ST (stronger adv ersarial mo dels for ste ganograph y ha v e also b een considered, see, e.g., [11, 18, 1 ]). The goal of su c h an adv ersary is to distinguish wh ether it is seeing enco dings of the hiddentext it supplied to the encod er or s imply random dra ws from the c hann el. T o this end, deﬁne an oracle O ( · , H ) that pro duces random dra ws from the c h an n el starting with history H as follo ws: on in put m ∈ { 0 , 1 } ∗ , O compu tes the length l of the stegot ext that SE M ( K, m ) w ould h a ve output and outputs s 1 s 2 . . . s l where eac h s i is d ra wn according to D H◦ s 1 s 2 ...s i − 1 . Deﬁnition 2. W is a ( t, d, q , λ ) p assive adversary f or ste gosystem ST if 1. W run s in expected time t (includin g the runn ing time needed by th e stego enco der to an s w er its queries) and has descrip tion of length d (in some canonical language). 2. W has access to C via the s amp ling oracle M ( · ). 3. W can make an exp ected num b er of q queries of combined length λ bits to an oracle wh ic h is either SE M ( K, · , · ) or O ( · , · ). 4. W outpu ts a bit indicating whether it was interacti ng with SE or with O . Stegosystem Securit y . Th e advantage Adv SS (here SS stands for “Steganographic S ecrecy” ) of W against ST w ith security parameter κ for a c hannel C is d eﬁned as Adv SS ST ( κ ) , C ( W ) =     Pr K ←{ 0 , 1 } κ [ W M , SE M ( K, · , · ) = 1] − Pr[ W M ,O ( · , · ) = 1]     . F or a giv en ( t, d, q , λ ), th e inse cu rity of a stegosystem ST with r esp ect to c hannel C is deﬁn ed as InSec SS ST ( κ ) , C ( t, d, q , λ ) = max ( t,d,q ,λ ) adversary W { Adv SS ST ( κ ) , C ( W ) } , and securit y Sec as 1 − InSec . Note th at the adv ersary’s algorithm can dep end on the c hannel C , sub ject to the r estrictio n on the algorithm’s total length d . In other w ord s , the adversary can p ossess some description of the c h annel in addition to the blac k-b ox acce ss pro vid ed by the c hann el oracle . This is a mean- ingful strengthening of th e adversary: indeed, it seems imp rudent to assume that th e adv ersary’s kno wledge of th e channel is limited to whatev er is obtainable by b lac k-b o x queries (for instance, the adv ersary has some idea of a reasonable ema il message o r photograph should lo ok lik e). It do es not con tradict our fo cus on black- b o x steganograph y: it is pr uden t for the honest parties to a void relying on particular prop erties of the c hannel, while it is p erfectly sensible for the adv ers ary , in trying to break the stegosystem, to tak e adv antag e of wh atev er in formation ab out the c hannel is a v ailable. 6 2.2 Pseudorandom F unctions W e use p s eudorandom functions [7] as a to ol. Because the adve rsary i n our s etting has acce ss to th e c h annel, an y cryptographic to ol used m ust b e secure ev en giv en the inform atio n pro vided b y the c h annel. T h u s, the underlyin g assum p tion for our constru ctio ns is the existence of pseudoran d om functions that are secure give n the channel oracle, wh ich is equiv alent [9] to the existence of one- w a y fu nctions that are secure giv en the c hannel oracle. Th is is the minimal assu m ption needed for steganograph y [11]. Let F = { F seed } seed ∈{ 0 , 1 } ∗ b e a family of functions, all with the same domain an d range. F or a probabilistic adv ersary A , and c hann el C with sampling oracle M , the PRF-advantage of A over F is d eﬁned as Adv PRF F ( n ) , C ( A ) =     Pr seed ←{ 0 , 1 } n [ A M ,F seed ( · ) = 1] − Pr g [ A M ,g ( · ) = 1]     , where g is a random function with the same domain and range. F or a given ( t, d, q ), the inse c urity of a p seudorandom fu nction family F w ith resp ect to c h annel C is deﬁned as InSec PRF F ( n ) , C ( t, d, q ) = max ( t,d,q ) adversary A { Adv SS F ( n ) , C ( A ) } , where the maxim um is tak en ov er all adversaries that run in exp ecte d time t , whose description size is at most d , and that mak e an exp ected num b er of q queries to their oracles. The existence of pseu dorandom functions is also the underlying assumption for our lo wer b ound; ho w ev er, for the lo w er b ound, we do not need to giv e the adv ersary access to a channel oracle (b ecause we constru ct the c hannel). T o distinguish this we ak er assumption, w e will omit th e subscript C from InSec . 3 The Lo w er Bound Recall that w e deﬁne the rate of a stego system as the aver age numb er of hiddentext bits p er do cument sent (this should not be c onfused with the a v erage n umb er of hid den text bits p er bi t sen t; note also that this is the sender’s rate, not the rate of information actually deco ded b y th e receiv er, whic h is lo wer d ue to unreliabilit y). W e set out to pr o ve that a reliable stego system with blac k-b o x access to the c hannel with rate w m u st mak e roughly l 2 w queries to the c h an n el to send a message of length l w . Intuitiv ely , this should b e tru e b ecause eac h d ocum ent carries w b its of in formation on a verage , b ut since the en co der kno ws nothing ab out the c hannel, it m ust kee p on sampling u n til it gets th e enco ding of those w b its, which amount s to 2 w samples on a v erage. In particular, for the purp oses of this lo we r b ound it suﬃces to consider a restricted class of c h annels: the distribution of th e sample dep ends only on the length of the history (not on its con tents). W e will write D 1 , D 2 , ..., D i , ... , instead of D H , where i is the length of the history H . F urthermore, it will suﬃce for us to consider only distribu tions D i that are u niform on a subset of Σ. W e will use the notatio n D i b oth for the distribution and for the subset (as is often done for uniform distributions). Let H denote the num b er of elemen ts of D i (note that H = | D i | = 2 h ), and let S = | Σ | . Because the en co der kno w s the min-en tropy h of the c hann el, if H = S , then the enco der knows the c hannel completely (it is simply uniform on Σ). Therefore, if H = S , then there is no meaningful lo w er b ound on the num b er of queries m ade b y the enco der to the channel oracle, b ecause it do es not need to mak e any queries in order to sample from th e c h annel. Th us, w e requ ire that H < S (our b ounds will d ep end sligh tly on the ratio of S to S − H ). 7 Our pro of pro ceeds in tw o parts. First, we consider a stegoenco der SE that do es not outpu t an ything th at it d id not receiv e as a resp onse fr om the c hannel-sampling oracle (intuitiv ely , ev ery go o d stego encoder should w ork this w a y , b ecause otherwise it ma y output something that is not in the c h annel, and th us b e detected). T o b e reliable—that is, to ﬁn d a set of do cumen ts that deco de to the desired message—suc h an e nco der h as to make many queries, a s s ho wn in Lemma 1 . Second, w e formalize the in tuition that a go od stegoen co der should output o nly docu m en ts it recei v ed from the c h annel-sampling oracle : we sho w that to b e secur e (i.e., not output something easily detectable b y the adversary), a b lac k-b o x SE cann ot ou tp ut an ything it did n ot receiv e fr om the oracle: if it do es, it h as an 1 − H /S c h ance of b eing d etected. The second half of the pr o of is somewhat complicated b y the fact th at we wan t to assu me securit y only against b ound ed ad versaries: n amely , ones whose description s ize and runn ing time are p olynomial in the description s ize and ru nning time of the enco der (in p articular, p olynomial in log S rather than S ). T h u s, the adve rsary cannot b e detecting a bad stego enconder by simply carrying a list of all the en tries in D i for eac h i and c hecking if the i th do cumen t sent b y the stegoenco der is in D i , b ecause th at would make the adversary’s description to o long. This requires us to come up with pseudorand om subsets D i of Σ that hav e concise descriptions and high min-en tropy and w h ose m emb ership is imp ossib le for the stego en coder to pred ict. In order to do th at, w e u tilize tec h niques from the truthful imp lemen tation of a b o olean function with interv al-sum queries of [8] (tru thfulness is imp ortan t, b ecause min-en trop y has to b e high unconditionally). 3.1 Lo wer Bound When Only Query Results Are Output If D 1 , D 2 , . . . are subsets of Σ, then we write ~ D = D 1 × D 2 × . . . to denote the c hann el th at, on history length i , outpu ts a u niformly random elemen t of D i . If | D 1 | = | D 2 | = . . . = 2 h then we sa y that ~ D is a ﬂat h -channel . W e will consider ﬂat h -c hannels. Normally , one would think of the channel sampling oracle for ~ D as making a f resh random c h oice from D i when queried on history length i . Ho we v er, from the p oint of view of the stegoenco der, it do es not matter if the c hoice was made by the oracle in resp onse to the query , or b efore th e query w as even made. It will b e easier f or us to think of the oracle as ha ving already made and written do wn coun tably man y sa mples from ea c h D i . W e will denote th e j th sample f rom D i b y s i,j . Thus, supp ose th at th e oracle has already c hosen s 1 , 1 , s 1 , 2 , . . . , s 1 ,j , . . . from D 1 , s 2 , 1 , s 2 , 2 , . . . , s 2 ,j , . . . from D 2 , . . . , s i, 1 , s i, 2 , . . . , s i,j , . . . from D i , . . . . W e will denote the string cont aining all these samples b y S and refer to it as a dr aw se quenc e f rom the c hannel. W e will giv e our stegoen co der access to an oracle (also denoted b y S ) that, eac h time it is queried with i , r eturns the next sym b ol from the sequence s i, 1 , s i, 2 , . . . , s i,j , . . . . Cho osing S at random and giving the stegoenco der access to it is equ iv alent to giving the enco der access to the usual c hannel-sampling oracle M for our channel ~ D . Denote th e stego encoder ’s ou tp ut by SE S ( K, m, H ) = t = t 1 t 2 . . . t l , where t i ∈ Σ. Beca use w e assume in this s ection that the stegoenco der outputs only do cuments it got from the c hann el oracle, t i is an elemen t of the sequence s i, 1 , s i, 2 , . . . , s i,j , . . . . If t i is th e j th e lemen t of this s equence, then it took j queries to pro duce it. W e will denote b y weight of t with r e sp e c t to S the num b er 8 of queries it took to pro duce t : W ( t, S ) = P l i =1 min { j | s i,j = t i } . In the n ext lemma, w e pro v e (b y lo oking at the de c o der ) that for any S most m essage s ha ve h igh w eigh t, i.e., must tak e m any queries to enco de. Lemma 1. L e t F : Σ ∗ → { 0 , 1 } ∗ b e an arbitr ary (p ossibly unb ounde d) deterministic ste go de c o der that takes a se quenc e t ∈ Σ l and outputs a message m of length l w bits. Then the pr ob ability that a r andom l w - bit message has an enc o ding of weight signiﬁc antly less than (1 /e ) l 2 w is smal l. M or e pr e c i sely, for any S ∈ Σ ∗∗ and any N ∈ N : Pr m ∈{ 0 , 1 } lw [( ∃ t ∈ Σ l )( F ( t ) = m ∧ W ( t, S ) ≤ N )] ≤  N l  2 lw <  N e l 2 w  l . Pr o of. S imple com binatorics sho w that the num b er of diﬀerent s equences t that ha ve w eigh t at most N (and hence the num b er of messages that ha v e enco dings of weig ht at most N ) is at most  N l  : indeed, it is simply the num b er of p ositiv e in teger solutions to j 1 + . . . + j l ≤ N , which is the num b er of wa ys to p ut l b ars among N − l stars (the n umber of stars to the righ t of the i th bar corresp onds to j i − 1), or, equ iv alentl y , the n umber of w a ys c ho ose l p ositions out of N . The total n u m b er of message s is 2 lw . The last inequalit y follo ws from  N l  <  N e l  l (whic h is a stand ard com b inatorics fact and follo ws from k ! ≥ ( k/e ) k , whic h in turn follo ws by induction on k from e > (1 + 1 /k ) k ). Our lo wer b ound applies when a st egosystem is used to encod e messag es dr a wn uniform ly from bit strings of equal length. It can easily b e extended to messages dra wn from a uniform distribution on an y set. If the messages are not d r a wn f r om a uniform distribution, then , in prin ciple, they can b e compressed b efore transm ission, th us requ iring less w ork on th e part of the stego encod er. W e do n ot pro vide a lo w er b ound in such a case, b ecause any such lo w er b ound wo uld dep end on the compressibilit y of the message sour ce. 3.2 Secure Stegosyst ems Almost Alw a ys Output Query Answ ers The n ext step is to pro v e that th e enco der of a secure blac k-b o x stegosystem m ust outp ut only what it gets fr om the oracle, or else it h as a high prob ab ility of outputting something n ot in the c h annel. Assume that ~ D is a ﬂat h -c h annel chosen uniformly at random. F or t = t 1 . . . t l ∈ Σ ∗ , let t ∈ ~ D denote that t i is in D i for eac h i . In the follo wing lemma, we demons tr ate that, if the enco der’s outp u t t cont ains a do cument that i t did not rec eiv e as a r esp onse to a query , the c hances that t ∈ ~ D are at most H /S . Before sta ting the lemma, w e deﬁne the set E of all p ossible ﬂat h -c hannels and dra w sequences consisten t w ith them: E = { ( ~ D , S ) | s i,j ∈ D i } . W e will b e taking p robabilities o v er E . Strictly sp eaking, E is an inﬁnite s et, b ecause w e deﬁ n ed ~ D to b e countable and S to ha ve counta bly man y samples from eac h D i . F or clarit y , it ma y b e easiest to thin k of tr uncating these coun table sequences to a s uﬃcien tly large v alue b ey ond which no stego encod er will ever go, th us making E ﬁnite, and th en use th e uniform distribution on E . F ormally , E can b e deﬁned as a pr od u ct of coun tably man y discrete probabilit y spaces (see, e.g., [6, Section 9.6]), with uniform distrib ution on eac h. Lemma 2. Consider any deterministic pr o c e dur e A that is given or acle ac c ess to a r andom ﬂat h -channel ~ D and outputs t = t 1 t 2 . . . t l ∈ Σ ∗ (think of A as the ste g o enc o der running on some input key, message, c hann el histo ry, and ﬁxe d r andomness). Pr ovide d that h is suﬃciently smal ler than log S , if A outputs something it did not get fr om the or acle, then the pr ob ability t ∈ ~ D is low. 9 Mor e pr e cisely, let Q i b e the set of r esp onses A r e c ei v e d to its q ueries fr om the i th channel D i . Deﬁne the fol lowing two events: • n onquerie d: Nq = { ( ~ D , S ) ∈ E | ( ∃ i ) t i / ∈ Q i } • in supp ort: Ins = { ( ~ D , S ) ∈ E | t ∈ ~ D } Then: Pr ( ~ D , S ) ∈ E [ Ins ∧ Nq ] ≤ H S . Pr o of. I f A were alw a ys outputting just a single v alue ( l = 1), the pro of w ould b e trivial: seeing some s amples from a random D 1 do es not help A come up with another v alue from D 1 , and D 1 mak es u p only an H /S fraction of all p ossible outpu ts of A . The pr o of b elo w is a generalizatio n of this argumen t f or l ≥ 1, with care to a void simp ly taking the union b oun d, wh ic h would get us lH /S instead of H /S . Let Nq i = { ( ~ D , S ) ∈ E | t 1 ∈ Q 1 , t 2 ∈ Q 2 , . . . , t i − 1 ∈ Q i − 1 , t i / ∈ Q i } b e the ev ent t i is the ﬁ rst elemen t of the output that w as n ot return ed b y the oracle as an answ er to a query . Observ e that S i Nq i = Nq and that Nq i are disj oin t ev en ts and, therefore, P i Pr[ Nq i ] = 1 . No w the probabilit y w e are inte rested in is Pr[ Ins ∧ N q ] = X i Pr[ Ins ∧ N q i ] = X i Pr[ Ins | Nq i ] Pr[ Nq i ] . T o b ound Pr [ Ins | Nq i ], ﬁx an y S = s 1 , 1 , s 1 , 2 ,. . . , s 1 ,q 1 , s 2 , 1 , s 2 , 2 ,. . . , s 2 ,q 2 , . . . , suc h that A S asks exactly q 1 queries fr om D 1 , q 2 queries fr om D 2 , . . . . Note that s u c h S determines the b eha v ior of A , includin g its output. Assume that, for this S , the ev en t Nq i happ ens. W e will tak e the probability Pr[ Ins | Nq i ] o v er a random ~ D consisten t w ith S (i.e. , for wh ic h s 1 , 1 , s 1 , 2 , . . . s 1 ,q 1 ∈ D 1 , s 2 , 1 , s 2 , 2 . . . s 2 ,q 2 ∈ D 2 , . . . ). Th is probabilit y can b e computed simply as follo ws: if q ′ i is the n umber of distinct elemen ts in s i, 1 , s i, 2 , . . . , s i,q i , then th ere are  S − q ′ i H − q ′ i  equally like ly c hoices f or D i (b ecause q ′ i elemen ts of D i are already determined). Ho wev er, f or Ins to happ en, D i m ust also con tain t i , wh ich is not among s i, 1 , s i, 2 , . . . , s i,q i (b ecause we assumed Nq i happ ens). The choice s of D 1 , . . . , D i − 1 , D i +1 , . . . do not matter. Therefore, Pr[ Ins | Nq i ] =  S − q ′ i − 1 H − q ′ i − 1   S − q ′ i H − q ′ i  = H − q ′ i S − q ′ i ≤ H S . The ab o ve pr obabilit y is for any ﬁxed S of the righ t length and randomly c hosen ~ D consisten t with S . Th erefore, it also holds for randomly c hosen ( ~ D , S ) ∈ E , b ecause the order in whic h S and ~ D are c hosen and the v alues in S b ey ond what A queries do not aﬀect the probabilit y . W e th us ha v e Pr ( ~ D , S ) ∈ E [ Ins ∧ Nq ] = X i Pr[ Ins | Nq i ] Pr[ Nq i ] ≤ X i H S Pr[ Nq i ] = H S . 10 3.3 Lo wer Bound for Unbounded Adv ersary W e n o w wan t to tie together Lemmas 1 and 2 to come up w ith a low er b ound on th e eﬃciency of the stegoenco der in terms of rate, reliabilit y , and securit y . Note that some w ork is needed, b ecause ev en though Lemma 1 is ab out reliabilit y and Lemma 2 is ab out securit y , n either mentio ns the parameters Rel and InSec . Assume, f or no w, that the adv ersary can test whether t i is in the su pp ort of D i . (This is not p ossible if D i is completely r andom and th e adversary’s d escription is small compared to S = | Σ | ; ho w ev er, it serv es as a u seful wa rm-up for the next section.) Then, u sing Lemma 2, it is easily sho wn that, if t he stegoenco der has insecurit y ǫ , then it ca nnot output something i t did not r eceiv e as resp onse to a query with probabilit y higher than ǫ/ (1 − H /S ). This leads to the follo wing theorem. Theorem 1. L et ( SE , SD ) b e a black-b ox ste gosystem with inse curity ǫ against an adversary who has an or acle for testing memb ership in the supp ort of C , unr eliability ρ and r ate w for an al phab et Σ of size S . Then, for any p ositive inte ger H < S , ther e exists a c hannel with min-entr opy h = l og 2 H such that the pr ob ability that the enc o der makes at most N queries to send a r andom message of length lw is at most  N e l 2 w  l + ρ + ǫR , and the exp e cte d numb er of queries p er ste gotext symb ol is ther efor e at le ast 2 w e  1 2 − ρ − ǫR  , wher e R = S/ ( S − H ) . Note th at, lik e Lemma 1, this theorem and T heorem 2 apply when a stegosystem is us ed to enco de messages d r a wn unif orm ly f rom the distribution of all lw -b it messages (see rema rk follo wing the pro of of Lemma 1 ). Pr o of. W e deﬁne the follo wing ev ent s, whic h are all subsets of E × { 0 , 1 } ∗ × { 0 , 1 } lw × { 0 , 1 } ∗ (b elo w v den otes the rand omness of SE ): • “ SE makes few queries to enco de m under K ”: F ew = { ~ D , S , K, m, v | SE S ( K, m ; v ) mak es at most N qu eries } (note that this is the ev en t whose probabilit y we w an t to b ound ) • “ SE ou tp uts a correct encod ing of m under K ”: Corr = { ~ D , S , K, m, v | SD ( K, SE S ( K, m ; v )) = m } • “ m has an enco ding t under K , and this encod ing has lo w w eigh t”: L ow = { ~ D , S , K, m, v ( ∃ t ) | SD ( K, t ) = m ∧ W ( t, S ) ≤ N } • Ins and N q as in L emm a 2, but as subsets of E × { 0 , 1 } ∗ × { 0 , 1 } lw × { 0 , 1 } ∗ Supp ose that SE outpu ts a corr ect enco ding of a message m . In that case, the probabilit y th at it made at most N qu eries to the channel is upp er b oun ded by the pr obabilit y that: (i) there exists an encodin g of m of weigh t at most N , or (ii) SE output something it d id not qu ery . In other w ords, Pr[ F ew | Corr ] ≤ Pr[ L ow | Corr ] + Pr[ N q | Cor r ] . 11 No w w e hav e Pr[ F ew ] = Pr[ F ew ∩ Corr ] + Pr[ F ew ∩ Corr ] ≤ Pr[ F ew ∩ Corr ] + Pr[ Corr ] = Pr[ F ew | Corr ] · Pr[ Corr ] + Pr[ Corr ] ≤ (Pr[ L ow | Corr ] + Pr[ Nq | Corr ]) · Pr[ Corr ] + Pr[ Corr ] = Pr[ L ow ∩ Corr ] + Pr[ Nq ∩ Corr ] + P r[ Corr ] ≤ Pr[ L ow ] + Pr[ Nq ] + Pr [ Corr ] . Because insecurit y is ǫ , Pr[ Ins ] ≤ ǫ . Hence, Pr[ Nq ] = Pr[ Ins ∩ Nq ] Pr[ Ins | Nq ] = Pr[ Ins ] Pr[ Ins | Nq ] ≤ ǫ 1 − H /S (1) (the second equalit y follo w s fr om the fact that if th e enco der outputs something not in ~ D , then it m ust ha v e not queried it, i.e., Ins ⊆ Nq ; the in equ alit y f ollo ws f r om Lemma 2). By Lemma 1 w e ha v e Pr[ L ow ] ≤  N e l 2 w  l . (2) No w b y com bining (1), (2), and the fact th at Pr[ Corr ] ≤ ρ b y reliabilit y , we get that Pr[ F ew ] ≤  N e l 2 w  l + ρ + ǫ 1 − H/S . Note that t he probabilit y is taken, in particular, o v er a random choic e of ~ D . Therefore, it holds for at least one ﬂat h -c h an n el. Let r andom v ariable q b e equ al to the num b er of q u eries made by SE to enco de m und er K . Then, letting d = l 2 w /e and c = 1 − ρ − ǫ 1 − H/S , w e get E[ q ] = X N ≥ 0 Pr[ q > N ] ≥ ⌈ d ⌉− 1 X N =0 c −  N d  l ≥ ⌈ d ⌉− 1 X N =0 c − N d = c ⌈ d ⌉ − ( ⌈ d ⌉ − 1) ⌈ d ⌉ 2 d ≥  c − 1 2  ⌈ d ⌉ . The exp ected num b er of queries p er do cument sen t is (E[ q ]) /l and so is at least ( 1 2 − ρ − ǫ 1 − H/S )(2 w /e ). 3.4 Lo wer Bound for Computationally Bounded P art ies W e n o w wan t to establish the same lo w er b ound without making such a strong assump tion ab out the securit y of the stegosystem. Namely , we do not wa n t to assume that the insecurit y ǫ is lo w unless the adv ersary’s description size and runn ing time are feasible (“feasible,” when made rigorous, w ill mean some ﬁxed p olynomial in the description s ize and r unning time of the stego encod e and in a securit y parameter for a function that is pseud orandom a gainst th e steg o enco der). Recall that ou r deﬁnitions allo w the adv ersary to dep end on the c hann el; thus, our goal is to construct c hann els that h av e short descriptions for the adversary bu t lo ok lik e random ﬂat h -c hannels to the blac k-b o x stegoenco der. In other words, w e wish to replace a rand om ﬂat h -c h annel with a p seudorandom one. 12 W e note that the c hann el is ps eudorandom only in the sense that it has a sh ort d escription, so as to allo w the adve rsary to b e computationally b oun ded. The min -en tropy guaran tee, h o we v er, can not b e replaced w ith a “pseudo-guaran tee”: else th e enco der is b eing lied to, and our lo wer b ound is no longer meaningful. Thus, a simpleminded app roac h, such as using a pseud orandom predicate with b ias H /S applied to eac h symbol and history length to determine whether the sym b ol is in the supp ort of the c hannel, will not w ork here: b ecause S is constant, eve nt ually (for s ome history length) the c hannel will hav e lo we r than guaran teed min-en tr op y (moreo v er, w e d o n ot wish to assume that S is large in order to demonstrate that this is unlik ely to happ en; our lo wer b ound should work for an y alphab et). Rather, we need the pseu d orandom implemen tation of the c h annel to b e tru thful 2 in the sense of [8], and so rely on th e tec hniques dev elop ed therein. The result is the f ollo wing theorem, which is similar to Theorem 1, except for a small term in tro duced b y pseudorand omness of the c hannel. Theorem 2. Ther e exi st p olynomials p 1 , p 2 and c onstants c 1 , c 2 with the f ol lowing pr op erty. L e t ST ( κ ) b e a black-b ox ste gosystem with se curity p ar ameter κ , description size δ , unr eliability ρ , r ate w , and running time τ for the alphab et Σ = { 0 , 1 , . . . , S − 1 } . Assume that ther e e xi sts a pseudor andom func tion family F ( n ) with inse curity InSec PRF F ( n ) ( t, d, q ) . Then, for any p ositive inte ger H < S , ther e exists a channel C with min-entr opy h = log 2 H such that the pr ob ability that the enc o der makes at most N qu eries to send a r andom message of length l w i s upp er b ounde d by  N e l 2 w  l + ρ + Rǫ + ( R + 1)  InSec PRF F ( n ) ( p 1 ( τ , n ) , δ + c 1 , p 1 ( τ , n )) + τ 2 − n  , and the exp e cte d numb er of queries p er ste gotext symb ol is ther efor e at le ast 2 w e  1 2 − ρ − Rǫ − ( R + 1)  InSec PRF F ( n ) ( p 1 ( τ , n ) , δ + c 1 , p 1 ( τ , n )) + τ 2 − n   , wher e R = S/ ( S − H ) and ǫ is the inse curity the ste gosystem ST on the channel C against adversaries running in time p 2 ( n, log S, n ) of description size n + c 2 , making just one query of length l w to SE or O (i. e ., ǫ = InSec SS ST ( κ ) , C ( p 2 ( n, log S, l ) , n + c 2 , 1 , lw ) ). Pr o of. T he main c hallenge lies in formulating the analog ue of Lemma 2 under compu tatio nal re- strictions. Lemma 2 and its u se in Theorem 1 relied on: (i) the in abilit y of the enco der to p r edict the b ehavio r of the c hannel (b eca use the c hannel is random) and (ii) the abilit y of th e adv ersary to test if a giv en string is in the sup p ort of th e c hannel (which the adversary has b ecause it is un- b ounded). W e need to mimic this in the computationally b ounded case. W e do so b y constructing a channel whose supp ort (i) app ears random to a b ounded enco der, but (ii) has an eﬃcien t test of mem b ership that the adv ersary can p erf orm giv en only a sh ort advice. As already mentioned, we wish to replac e a random channel with a pseudorand om one and gi v e the short pseudorandom se ed to the adv ersary , wh ile k eeping the min-entrop y guarantee tr u thful. The next few paragraphs will explain h ow this is d one, using the tec h niques of huge r andom ob j ects from [8]. A reader n ot familiar with [8] may ﬁnd it easier to skip to the paragraph ent itled “Prop erties of the P s eudorandom Flat- h Ch annels,” where the results of this—i.e., the prop erties of the c h annel that w e obtain—are summ arized. 2 In th is case, truthfulness implies t hat for eac h history length, the supp ort of the c hannel has ex actly H elements. 13 Sp ecifying and Implementing the Flat - h Channel F or the next few paragraphs, familiarit y with [8] will b e assumed. Recall th at [8] r equires a sp eciﬁcatio n of the ob ject that will b e pseu do- randomly implemen ted, in the form of a T uring mac hine with a count ably in ﬁnite ran d om tap e. It w ould b e straightforw ard to sp ecify the c hannel as a random ob ject (random subset D of Σ of size H ) admitting tw o typ es of queries: “sample” and “test membersh ip.” But a p seudorandom implemen tation of su c h an ob ject wo uld also replace rand om sampling w ith pseu d orandom sam- pling, w hereas in a stegosystem the enco der is gu aranteed a tr u ly random s amp le from D (indeed, without suc h a guaran tee, the min-entrop y guarantee is no longe r meaningful). Therefore, w e need to construct a sligh tly diﬀerent random ob ject, implement it pseudorandomly , and add random sampling on top of it. W e sp ecify the random ob ject as follo w s. Recall that S = | Σ | , h is th e min-en trop y , and H = 2 h . Deﬁnition 3 (Sp eciﬁcation of a ﬂat h -c h an n el) . Let M ω b e a probabilistic T uring m ac hine with an inﬁnite random tap e ω . On inpu t ﬁve inte gers ( S, H , i, a, b ), (where 0 < H ≤ S , i > 0, 0 ≤ a ≤ b < S ), M ω do es the follo wing: • divides ω into consecutiv e substr ings y 1 , y 2 , . . . of length S eac h; • ident iﬁes among them the substr in gs that ha v e exactly H ones; let y b e the i th su c h su bstring (with probability one, there are inﬁ nitely many such subs trings, of course); • returns th e n um b er of ones in y b etw een, an d includ ing, p ositions a and b in y (p ositions are coun ted from 0 to S − 1). In w h at wa y does M = M ω sp ecify a ﬂat h -c hannel? T o see that, id en tify Σ with { 0 , . . . , S − 1 } , and let D i b e the subset of Σ indicated by the ones in y . Then D i has cardinalit y H and testing mem b ership in D i can b e realized u sing a single query to M : insupp M ( i , s ): return M ( S, H , i, s, s ) Ob viously , D i are sele cted uniformly a t random a nd indep endentl y of eac h other. T hus, t his ob ject sp eciﬁes th e correct channel and allo ws mem b ership testing. W e n o w use this ob j ect to allo w for rand om s ampling of D i . Outputting a rand om elemen t of D i can b e realized via lo g S queries to M , using the follo win g pro cedure (essenti ally , binary search): rndelt M ( i ): return random-e lement-in-ra nge M ( S, H , i, 0 , S − 1 ) random-e lement-in-ra nge M ( S, H , i, a, b ): if a = b then ret urn a and ter minate mid ← ⌊ ( a + b ) / 2 ⌋ total ← M ( S, H , i, a, b ) left ← M ( S, H, i, a, mid ) r R ← { 1 , . . . , total } if r ≤ left then random-e lement-in-ra nge M ( S, H , i, a, mid ) else random-e lement-in-ra nge M ( S, H , i, mid + 1 , b ) 14 W e can implement this random ob ject pseud oran d omly u sing the same tec hniques as [8] us es for implemen tin g ran d om b o olean fun ctions with in terv al su m s (see [8, Theorem 3.2]). Namely , the authors of [8] give a construction of a truthful pseudo-implement ation of a r andom ob ject determined by a random b o olea n function f : { 0 , . . . , 2 n − 1 } → { 0 , 1 } that accepts queries in the form of t wo n -bit int egers ( a, b ) and answers with P b j = a f ( j ). Roughly , their construction is as follo w s . Let S = 2 n . Im agi ne a full b inary tree of d ep th n , wh ose lea ves con tain v alues f (0) , f (1) , . . . , f ( S − 1). Any o ther nod e in the tree co nt ains the su m of le a v es in its subtree. Giv en access to such tree, we can compute an y sum f ( a ) + f ( a + 1) + . . . + f ( b ) in time prop ortional to n . Moreo ve r, su c h trees need not b e stored fu lly b ut can b e ev aluated dyn amica lly , from the ro ot d o wn to the lea v es, as follo ws. T h e v alue in the ro ot (i.e., the sum of all lea ves) has b inomial distribution and can b e ﬁlled in pseudorandomly . Other no des h a ve more complex d istr ibutions but can b e also ﬁlled in ps eu dorandomly and consisten tly , s o that they contai n the su ms of their lea ves. T he construction u ses a pseudorand om function to come up with the v alue at eac h n o de. W e need to mak e th ree mo diﬁcations. First, we simp ly ﬁ x the v alue in the ro ot to H , so that f (0) + f (1) + . . . + f ( S − 1) = H . Second, we allo w S to b e not a p o wer of 2. Third, in order to create m ultiple distrib u tions D i , we add i as an inp ut to the pseud orandom function, th us getting diﬀeren t (and indep end en t-lo oking) randomness for eac h D i . Ha ving made these mo diﬁ cat ions, w e obtain a truth f ul pseudo-implemen tation of M . It can b e used within ins upp and rn delt instead of M , for eﬃcient mem b ership testing and truly random sampling from our pseudorand om c h annel. Prop erties of the Pseudorandom Fla t h -Channe ls W e th us obtain that , giv en a short random seed ω , it is p ossible to create a ﬂ at h -c hann el that is indistinguish able fr om r andom and allo ws for eﬃcient m em b ersh ip testing and truly random sampling give n ω . T o emphasize the pseudorand omn ess of the c h annel, in our notation we will use DPR insted of D and k eep the seed ω explicit as a sup ercript. Th us, DP R ω i is a pseud orandom subs et of Σ of size H , and the c hannel is denoted by − − − → DPR ω = DP R ω 1 × DP R ω 2 × . . . . Similarly to E deﬁn ed in Section 3 .2 for t ruly random c h annels, deﬁne EPR n = { ( ω , S ) | | ω | = n, s i,j ∈ DP R ω i } . Because − − − → DPR ω has the requisite min -en tropy , it is v alid to exp ect prop er p erformance of the stegoenco der on it; b ecause it is pseudorand om, an analog of Lemma 2 will s till hold; and b ecause it has eﬃcient mem b ersh ip testing giv en a short s eed, the adversary will b e able to see if an output of the stegoenco der is not from it. W e are no w r eady to formally state the claim ab out the prop erties of − − − → D P R . F or th is claim, and for the r est of the p r oof, w e assume existence of a family of pseudorandom functions F with insecurit y InSec PRF F ( n ) ( t, d, q ) (recall that InSec is a b ound on the d istinguishing adv antag e of any adv ersary r unning in time at most t of descrip tion size at most d making at most q queries). T o simplify th e notation, we will n ote that f or us d alw a ys will b e at most description size of the stegosystem p lu s some constan t c 1 , and that q ≤ t . W e will then write ι P RF ( n, t ) ins tea d of InSec PRF F ( n ) ( t, d, q ). Claim 1. Ther e is a p olynomial p and a family of channels − − − → DPR ω , indexe d by a string ω of length n (as wel l as values H and S ), such that, for any p ositive inte gers n, i and H ≤ S , channel − − − → DPR has the fol lowing pr op erties: • is a ﬂat h -channel for h = log H on the alphab et { 0 , . . . , S − 1 } ; • al lows for samp ling and memb ership testing in time p olynomial in n , log S , and log i given ω , i, H , and S as inputs; 15 • is pseudo r andom in the fol lowing sense: for a ny H , S , and an y or acle machine (distinguisher) A with running time τ ≥ log S ,      Pr ( ~ D , S ) ← E [ A S , Memb ( ~ D ) () = 1] − Pr ( ω, S ) ← EPR n [ A S , Memb ( ω ) () = 1]      < ι P RF ( n, p ( τ , n )) + τ 2 − n , wher e Memb ( ~ D ) and M emb ( ω ) denote memb ership testing or acles for ~ D and − − − → DPR ω , r esp e c- tively. The claim follo ws f rom the results of [8] with minor mo diﬁcations, as presented ab ov e. W e present no pro of here. Note that the second argumen t to ι P RF dep ends on S only to the exten t τ do es; this is imp ortan t, b ecause, ev en for large alphab ets a nd high-en tr opy c hann els, we w ant to k eep the sec ond argumen t to ι P RF as lo w a p ossible so that ι P RF is as lo w as p ossible. Stegosystems Running w ith DP R Almost Alwa ys Output Query Answers H a ving bu ilt pseudorand om c h annels, w e no w state the analog of Lemma 2 th at works f or stegosystems secure only against b ounded adversaries. Fix some H and S . Let A b e the same as in Le mma 2 , b ut giv en access to − − − → DPR ω instead of ~ D , and let t = t 1 . . . t l b e its output and Q i b e the set of resp onses A receiv ed to its queries of the i th c hann el DPR i . An alog ously to Nq and Ins , deﬁne the follo wing t wo families of ev en ts, in dexed by n , the securit y parameter for the PRF. • n onqueried, pseudorandom ve rsion: NqPR n = { ( ω , S ) ∈ EPR n | ( ∃ i ) t i / ∈ Q i } • in supp ort, p seudorandom version: InsPR n = { ( ω , S ) ∈ EPR n | t ∈ − − − → DPR ω } W e show that high pr obabilit y of InsPR n implies lo w probabilit y of NqPR n . F ormal s tatement of the lemma follo ws. T o simplify the notation, let R = S/ ( S − H ). Lemma 3. Ther e exists a p olynomial p 1 such that, for any A running in time τ ≥ log S , if Pr[ InsPR n ] < ǫ ( n ) , then Pr[ NqPR n ] < Rǫ ( n ) + ( R + 1)( ι P RF ( n, p 1 ( τ , n )) + τ 2 − n ) . Pr o of. L et Ins and Nq b e the same as in Lemma 2. Let A ′ b e a mac hine that is giv en an oracle whic h tests members hip in the channel. L et A ′ run A to get t and output 1 if and only if the mem b ership oracle sa ys that t is in the c hannel. Applying Claim 1 to A ′ , w e ha v e that for some p olynomial p ′ (namely , the p olynomial p ( τ + t A ′ ( τ ) , n ), where t A ′ is the extra time that A ′ needs to run after A is ﬁnish ed), | Pr[ InsPR n ] − Pr[ Ins ] | < ι P RF ( n, p ′ ( τ , n )) + τ 2 − n . Therefore Pr[ Ins ] < ǫ ( n ) + ι P RF ( n, p ( τ + p ′ ( τ , n ))) + τ 2 − n . It no w follo ws, by the same deriv ation as for Equation (1) in the pr oof of Theorem 1, that Pr[ Nq ] < ǫ ( n ) + ι P RF ( n, p ′ ( τ , n )) + τ 2 − n 1 − H /S . Let A ′′ b e a m achine that r u ns A and outputs 1 if and only if A outputs something it did not receiv e as a query r esp onse. Applying C laim 1 to A ′′ , w e get that, for some p olynomial p ′′ (namely , 16 the p olynomial p ( τ + t A ′′ ( τ ) , n ), w here t A ′′ is the extra time that A ′′ needs to run in add ition to A ), w e get | Pr[ NqPR n ] − Pr[ Nq ] | < ι P RF ( n, p ′′ ( τ , n )) + τ 2 − n . Therefore, Pr[ NqPR n ] < ǫ ( n ) + ι P RF ( n, p ′ ( τ , n )) 1 − H /S + ι P RF ( n, p ′′ ( τ , n )) + (1 + R ) τ 2 − n . No w let p 1 ≥ max( p ′ , p ′′ ). Completing the Pro of. W e are now ready to prov e T h eorem 2 . W e d eﬁ ne th e same even ts as in the pro of of Theorem 1, except as subs ets of EPR n × { 0 , 1 } ∗ × { 0 , 1 } lw × { 0 , 1 } ∗ rather than E × { 0 , 1 } ∗ × { 0 , 1 } lw × { 0 , 1 } ∗ (w e use the suﬃx PR to emphasize that they are for the pseud orandom c h annel): F ewPR n , CorrPR n , L owPR n denote, resp ectiv ely , th at SE made at most N queries, that SD correctly deco ded the hiddentext , and that the hid den text h as a low-w eigh t enco ding. Just lik e in the pro of of 1, it holds th at Pr[ F ewPR n ] ≤ Pr[ L owPR n ] + Pr[ NqP R n ] + Pr[ CorrPR n ] and that Pr[ CorrPR n ] < ρ and Pr[ L owPR n ] < ( N e/l 2 w ) l . I t is left to argue a b ound on Pr[ NqPR n ]. Consider an adve rsary against our stegosystem that conta ins ω as part of its description, giv es its oracle a rand om message to e nco de, a nd then tests if the outpu t is in − − − → DPR ω . It can b e implemen ted to ru n in p 2 ( n, log S, l ) steps for some p olynomial p 2 and has description size n + c 2 for some constan t c 2 . Hence, its probabilit y of detecting a stego enco der outpu t that is not in − − − → DPR ω cannot b e more than the insecurity ǫ = InSec SS ST ( κ ) , − − − → DPR ω ( p 2 ( n, log S, l ) , n + c 2 , 1 , lw ). In other words, Pr[ InsPR n ] ≤ ǫ , and, b y Lemma 3, we get Pr[ NqPR n ] ≤ Rǫ + ( R + 1)( ι P RF ( n, p 1 ( τ , n )) + τ 2 − n ) . Finally , to compute a b ound on the exp ected v alue, we app ly the same metho d as in the pro of of Theorem 1. Discussion. The p ro of of Theorem 2 relies fun damen tally on Theorem 1: sp eciﬁcally , Lemma 3 relies on Lemm a 2. In ot her w ords, to pro v e a lo w er b ound in the compu tationally b ounded setting, w e use the corresp onding lo w er b ound in the information-theoreti c setting. T o d o so, w e replace a n ob j ect of an exp onentia lly large size (the c hannel) with one that can b e succinctly describ ed. T his replacemen t subs titutes some information-theoretic p rop erties w ith their computational counter- parts. Ho we v er, for a lo wer b ound to remain “honest” (i.e., not restricted to uninteresting c hann els), some global prop erties m ust remain information-theoretic. This is w here the truth fulness of huge random ob jects of [8] comes to th e r escue. W e h op e that other in teresting imp ossibilit y results can b e pr o v ed in a similar fashion by adapting an information-theoretic resu lt using the paradigm of [8 ]. W e think truthfu lness of the ob jects will b e imp ortan t in suc h adaptations for the same reason it was im p ortan t here. Note that the gap in the capabilities of the ad versary and encod er/decoder is diﬀerent in the t wo settings: in the inf ormatio n-theoretic case, the adv ersary is give n unrestricted compu tatio nal p o wer, while in th e computationally b oun ded case, it is assumed to run in p olynomial time bu t is giv en the secret c hannel seed. Ho wev er, in the in formation-theoret ic case, w e ma y remov e the gap altoge ther by pro viding b oth th e adv ersary and the enco der/deco der with a c h an n el mem b ership oracle and still obtain a lo wer b ou n d analogous 3 to t hat of Th eorem 2. W e see no suc h opp ortunit y 3 A low er b ound on t h e number of samples p er do cument sent b ecomes trivially zero if the enco der is given as muc h time as it pleases, in addition to the membership oracle of the ﬂat channel. Y et it should not b e diﬃcult to prov e that it must then run for O (2 w ) steps per document sent. 17 to remov e the gap in the computationally b ounded case (e.g., equippin g the enco der/deco der with the c hannel s eed s eems to break our p ro of ). Remo ving this asymmetry in the compu tatio nally b ounded case seems challe nging and w orth pu rsuing. 4 The Stateful Construction STF The constru ctio n ST F relies on a pseudorand om function family F . In addition to the securit y parameter κ (the length of the PRF k ey K ), it dep ends on the rate parameter w . Be cause it is stateful, b oth en co der and d eco der tak e a counter ctr as in put. Our enco der is similar to the rejection-sampler-based enco der of [11] generalized to w bits: it simply samples elemen ts from the channel u n til the pseudorandom f unction ev aluated on the elemen t pr od uces the w -bit sym b ol b eing enco ded. The crucial d iﬀerence of our construction is the follo wing: to a v oid introdu cing bias in to the c h annel, if the same elemen t is sampled t wice, th e enco der simp ly ﬂips a random co in to dec ide whether to outp u t t hat elemen t with probabilit y 2 − w . Hopp er [12, Construction 6.10] indep en den tly prop oses a similar construction, except instead of ﬂipping a fresh rand om coin, the enco der ev aluates th e pseu dorandom function on a new counte r v alue (there is a separate counter asso ciated to eac h sampled do cument, indicating h o w many times the do cument has b een sampled), thus conserving r andomness. Observe that, assu ming F is truly r andom rather than pseud orandom, eac h sample from the c h annel has pr obabilit y 2 − w of b eing output, in dep enden t of an ything else, b ecause eac h time fresh randomness is b eing used. O f course, this in tr odu ces unr eliabilit y , whic h is related to the probabilit y of drawing the same elemen t f rom D H t w ice. Pro cedure STF . SE ( K, w , m, H , ctr ): Let m = m 1 m 2 . . . m l , wh ere | m i | = w for i ← 1 to l : j ← 0; f ← 0 ; ctr ← c tr + 1 repeat : j ← j + 1 s i,j ← M ( H ) if ∃ j ′ < j s.t. s i,j = s i,j ′ let c ∈ R { 0 , 1 } w if c = m i then f ← 1 else i f F K ( ctr , s i,j ) = m i then f ← 1 until f = 1 s i ← s i,j ; H ← H || s i output s = s 1 s 2 . . . s l Pro cedure STF . SD ( K , w, s, ctr ): Let s = s 1 . . . s l , where s i ∈ Σ for i = 1 to l ctr ← ctr + 1 m i ← F K ( ctr , s i ) output m = m 1 m 2 · · · m l Theorem 3. The ste gosystem STF has inse c u rity InSec SS STF( κ,w ) ( t, d, l, l w ) = InSec PRF F ( κ ) ( t + O (1) , d + O (1) , l 2 w ) . F or e ach i , the pr ob ability that s i is de c o de d inc orr e ctly is 2 − h + w + InSec PRF F ( κ ) (2 w , O (1) , 2 w ) , and unr eliability is at most l (2 − h + w + InSec PRF F ( κ ) (2 w , O (1) , 2 w )) . Pr o of. I n securit y b ound is apparen t from the fact that if F w ere truly random, then the system w ould b e p erfectly secure, b ecause its output is distributed identica lly to C (simp ly b ecause the enco der samples f rom th e channel and ind ep en den tly at random decides wh ich samp le to output, 18 b ecause the random fun ction is nev er applied more than once to the same input). Hence, any adv ersary for the stegosystem would d istinguish F from rand om. The reliabilit y b ound p er sym b ol c an b e demonstrated as follo ws. Assuming that F is random, the probabilit y that f b ecomes 1 afte r j iterations of the inner lo op in STF . SE (i.e., that s i = s i,j ) is (1 − 2 − w ) j − 1 2 − w . If that h app ens, the p robabilit y that ∃ j ′ < j su c h that s i,j = s i,j ′ is at most ( j − 1)2 − h . S umming up and usin g standard form ulas for geometric series, we get ∞ X j =1 ( j − 1)2 − h  1 − 2 − w  j − 1 2 − w = 2 − h − w ∞ X j =1  1 − 2 − w  j ∞ X k =0 (1 − 2 − w ) k !! < 2 w − h . Note that errors are ind ep enden t for eac h sym b ol, and hence error-correcting co des ov er alph abet of size 2 w can b e used to increase reliabilit y: one simply enco des m b efore feeding it to SE . Observe that, for a truly random F , if an error o ccurs in p osition i , the sym b ol deco ded is uniformly distributed among all elements of { 0 , 1 } w − { m i } . Therefore, the stegosyste m creates a 2 w -ary symmetric c h annel with error probabilit y 2 w − h (1 − 2 − w ) = 2 − h (2 w − 1 ) (this comes fr om more careful sum mation in the ab o ve pro of ). Its capacit y is w − H [1 − 2 − h (2 w − 1) , 2 − h , 2 − h , . . . , 2 − h ] (where H is Shann on en tropy of a distribution) [16, p. 58]. This is equal to w + (2 w − 1)2 − h log 2 − h + (1 − 2 − h (2 w − 1)) log(1 − 2 − h (2 w − 1)). Assum in g that the error probabilit y 2 − h (2 w − 1) ≤ 1 / 2 and using log (1 − x ) ≥ − 2 x for 0 ≤ x ≤ 1 / 2, we get that the capacit y of the c hannel created b y the enco der is at least w + 2 − h (2 w − 1)( − h − 2) ≥ w − ( h + 2)2 − h + w . Thus, as l gro ws, we can ac hiev e rates close to w − ( h + 2)2 − h + w with near p erfect security and r elia bilit y (indep endent of h ). 4.1 Stateless V arian ts of STF Our stegosystem STF is stateful b ecause we need F to take ctr as input to mak e su re w e nev er apply the pseud orandom function more than once to the same input. This will happ en automatically , without the need for ctr , if the channel C has the follo wing p rop ert y: for an y histories H and H ′ suc h that H is the preﬁx of H ′ , th e s upp orts of D H and D H ′ do not intersec t. F or instance, when do cuments hav e monotonically increasing sequence n umbers or timestamps, no shared state is n eeded. T o remo ve the need for shared state for all c hann els, we can do the follo wing. W e remo v e ctr as an input to F and instead pro vide STF . SE with the set Q of all v alues receiv ed s o f ar as answ ers from M . W e r eplace the line “ if ∃ j ′ < j s.t. s i,j = s i,j ′ ” with “ if s i,j ∈ Q ” and add th e line “ Q ← Q ∪ { s i,j } ” b efore th e end of the in ner lo op. No w shared state is no longer n eeded for securit y , b ecause w e again get fresh coins on eac h dr a w from the c hannel, ev en if it collides with a dra w made for a previous hidd en text sym b ol. Ho wev er, reliabilit y s u ﬀers, b ecause the larger l is, the more lik ely a collision will happ en. A careful analysis, omitted here, s ho ws that unreliabilit y is l 2 2 − h + w (plus the insecurit y of the PRF). Unfortunately , this v arian t requires the encoder to s tore the set Q of all the sym b ols ev er samp led from C . Th us, wh ile it r emo v es s hared state, it requires a lot of p riv ate state. This storage can b e reduced somewhat by us e of Bloom ﬁlters [2] at the expens e of in tro ducing p oten tial false c ollisions and th us furth er decreasing reliabilit y . An analysis utilizing the b oun ds of [3] (omitted here) sh o ws that us in g a Blo om ﬁlter with ( h − w − log l ) / ln 2 b its p er entry will in cr ease unr elia bilit y by only a factor of 2, while p oten tially r educing storage signiﬁcantly (b ecause the sym b ols of Σ require at least h bits to store and p ossibly more if the D H is sparse). 19 5 The Stateless Construction STL The statele ss construction STL is simply STF without the coun ter and c ollision detection (and is a generalizat ion to rate w of the construction that app eared in the e xtended abstract o f [11]). Again, w e emphasize that the no velt y is n ot in the construction b ut in the analysis. The construction requires a reliabilit y parameter k to mak e su re that expected r unning time of the encoder do es not b ecome in ﬁnite du e a low-probabilit y ev en t of in ﬁnite ru nning time. Pro cedure STL . SE ( K, w , k , m, H ): Let m = m 1 . . . m l , wh ere | m i | = w for i ← 1 to l : j ← 0 repeat : j ← j + 1 s i,j ← M ( H ) until F K ( s i,j ) = m i or j = k s i ← s i,j ; H ← H || s i output s = s 1 s 2 . . . s l Pro cedure STL . SD ( K, w, s ): Let s = s 1 . . . s l , where s i ∈ Σ for i = 1 to l m i ← F K ( s i ) output m = m 1 m 2 · · · m l Theorem 4. The ste gosystem STL has inse curity InSec SS STL( κ,w ,k ) , C ( t, d, l, l w ) ∈ O (2 − h +2 w l 2 + le − k / 2 w ) + InSec PRF F ( κ ) ( t + O (1) , d + O (1) , l 2 w ) . Mor e pr e cisely, InSec SS STL( κ,w ,k ) , C ( t, d, l, l w ) < 2 − h  l ( l + 1)2 2 w − l ( l + 3)2 w + 2 l  + 2 l  1 − 1 2 w  k + InSec PRF F ( κ ) ( t + 1 , d + O (1) , l 2 w ) . Pr o of. T he pro of of Theorem 4 consists of a hybrid argumen t. The ﬁ rst step in the hybrid argument is to replace the stego enco der SE with SE 1 , whic h is the same as SE , except that it uses a truly random G instead of pseudorand om F , which accoun ts for th e term InSec PRF F ( κ ) ( t + O (1) , d + O (1) , l 2 w ). Th en, rather than consider dir ectl y the statistical diﬀerence b et ween C and th e outpu t of SE 1 on an l w -bit message, w e b ound it via a series of st eps inv olving related stego enco ders (these are n ot enco ders in the sense deﬁned in Section 2, as they do not ha v e corresp onding deco ders; they are simply related pr ocedu r es that help in the pro of ). The enco ders SE 2 , SE 3 , and SE 4 are sp eciﬁed in F igure 1. SE 2 is th e same as SE 1 , exce pt that it main tains a set Q of all answ ers receiv ed from M so far. After recei ving an answ er s i,j ← M ( H ), it chec ks if s i,j ∈ Q ; if so, it ab orts and outputs “F ail”; else, it adds s i,j to Q . It also ab orts and outputs “F ail” if j ev er reac hes k durin g an execution of the inner lo op. SE 3 is the same as SE 2 , except that instead of th inking of r andom function G as b eing ﬁ xed b efore hand , it create s G “on the ﬂy” b y rep eatedly ﬂipping coins to decide the w -bit v alue assigned to s i,j . Since, lik e SE 2 , it aborts whenev er a collision b et we en strings of co v ertexts o ccurs, the fun ctio n will remain consisten t. Finally , SE 4 is th e same as SE 3 , except that it neve r ab orts with failure. In a sequence of lemmas, w e b ound th e statistical diﬀerence b et we en the outputs of SE 1 and SE 2 ; sho w that it is the same as th e statistical diﬀerence b et w een the outputs of SE 3 and SE 4 ; and show that the outputs of SE 2 and SE 3 are distributed identic ally . Finally , observe that SE 4 do es nothing m ore than sample from the c hannel and then randomly a nd obliviously to the sa mple 20 SE 2 ( K, w, k , m 1 . . . m l , H ): Q ← ∅ for i ← 1 to l : j ← 0 repeat : j ← j + 1 s i,j ← M ( H ) if s i,j ∈ Q or j = k + 1 the n abort and output ”F ail” Q ← Q ∪ { s i,j } until G ( s i,j ) = m i s i ← s i,j ; H ← H || s i output s = s 1 s 2 . . . s l SE 3 ( K, w, k , m 1 . . . m l , H ): Q ← ∅ for i ← 1 to l : j ← 0 repeat : j ← j + 1 s i,j ← M ( H ) if s i,j ∈ Q or j = k + 1 the n abort and output ”F ail” Q ← Q ∪ { s i,j } Pick c ∈ R { 0 , 1 } w until c = m i s i ← s i,j ; H ← H || s i output s = s 1 s 2 . . . s l SE 4 ( K, w, k , m 1 . . . m l , H ): for i ← 1 to l : j ← 0 repeat : j ← j + 1 s i,j ← M ( H ) Pick c ∈ R { 0 , 1 } w until c = m i s i ← s i,j ; H ← H|| s i output s = s 1 s 2 . . . s l Figure 1: “Enco ders” SE 2 , SE 3 , and SE 4 used in th e pro of of Th eorem 4 k eep or discard it. Hence, its output is distributed identic ally to the channel. The details of the pro of f ollo w. F or ease of notation, we will denote 2 − h (the u pp er b ound on the probabilit y of elemen ts of D H ) by p and 2 w b y R for the rest of this pr oof. The follo win g prop osition serve s as a warm-up for the pro of of Lemma 4, which follo w s it. Prop osition 1. The statistic al diﬀer enc e b etwe en the output distributions of SE 1 and SE 2 for a w - bit hiddentext message m ∈ { 0 , 1 } w is at most 2 p/ ( R − 1) 2 + 2 e − k /R .That is, X ∀ s ∈ Σ     Pr G,M [ SE 1 ( K, w , k, m, H ) → s ] − Pr G,M [ SE 2 ( K, w , k, m, H ) → s ]     < 2 p ( R − 1) 2 + 2 e − k /R . Pr o of. C onsider the probabilit y that SE 2 outputs “F ail” while trying to enco de some m ∈ { 0 , 1 } w . This h ap p ens for one of tw o reasons. First, if after k attempts to ﬁ nd s i,j suc h that G ( s i,j ) = m i , no suc h s i,j has b een drawn. Second, if the same v alue is r etur ned twic e by M b efore SE 2 ﬁnds a satisfactory s i,j ; in other wo rds, if there has b een a collision b et ween t w o u nsuccessful co vertext do cumen ts. Let E 1 denote the ev ent that one of these t wo situations has o ccurred and n 1 denote the v alue of j at whic h E 1 o ccurs. Then Pr[ E 1 ] ≤  R − 1 R  2 p +  R − 1 R  3 2 p + · · · +  R − 1 R  k − 1 ( k − 2) p +  R − 1 R  k = p k − 1 X n 1 =2  R − 1 R  n 1 ( n 1 − 1) +  R − 1 R  k < p  R − 1 R  2 ∞ X n 1 =0  R − 1 R  n 1 ( n 1 + 1) +  R − 1 R  k = p ( R − 1) 2 +  R − 1 R  k < p ( R − 1) 2 + e − k /R . 21 Observe that the pr obabilit y that SE 2 outputs a sp eciﬁc do cumen t s whic h is not “F ail” can b e only less than the probabilit y that SE 1 outputs the same elemen t. Since the total decrease o v er all such s is at most the probabilit y of failure f rom ab o v e, the total statistical diﬀerence is at most 2 Pr[ E 1 ]. Lemma 4. The statistic al diﬀer enc e b etwe en the output of SE 1 and SE 2 when enc o ding a message m ∈ { 0 , 1 } lw is at most p  l ( l + 1) R 2 − l ( l + 3) R + 2 l  + 2 l  1 − 1 R  k . Pr o of. P r op ositio n 1 d eals with the case l = 1. It remains to extend th is line of analysis to the general case l > 1. As in the pro of of Prop osition 1, let E i denote the ev en t that SE 2 outputs “F ail” w hile attempting to enco de the i th blo c k of m i . Note that E i gro w s with i b ecause th e set Q grows as more and more blo c k s are encoded . Also, let n i denote the n u m b er of attempts used b y SE 2 to enco de the i th blo c k. T o simplify the analysis, we initially ignore the b oundary case of failure on attempt n i = k and treat a failure on this attempt lik e all others. Let E ′ i denote these ev ents. T hen, we hav e the follo wing sequence of probabilities. Recall that, for E ′ 1 , Pr[ E ′ 1 ] < p ( R − 1) 2 . In the harder case of E ′ 2 , Pr[ E ′ 2 ] = k X n 1 =1 Pr[ E ′ 2 | n 1 dra ws for bit 1] Pr[ n 1 dra ws for bit 1] ≤ p R k X n 1 =1 k X n 2 =1  R − 1 R  n 1 + n 2 − 1 ( n 1 + n 2 − 1) = p R k X n 1 =1  R − 1 R  n 1 − 1 k X n 2 =1  R − 1 R  n 2 ( n 2 − 1) + n 1 k X n 2 =1  R − 1 R  n 2 ! < p R k X n 1 =1  R − 1 R  n 1 − 1  Pr[ E ′ 1 ] /p + n 1 ( R − 1)  < p R  R Pr[ E ′ 1 ] /p + R 2 ( R − 1)  = p  ( R − 1) 2 + R ( R − 1)  = p (2 R − 1)( R − 1) . Similarly , for E ′ 3 , Pr[ E ′ 3 ] ≤ p R 2 k X n 1 =1 k X n 2 =1 k X n 3 =1  R − 1 R  n 1 + n 2 + n 3 − 2 ( n 1 + n 2 + n 3 − 1) = p R 2 k X n 1 =1  R − 1 R  n 1 − 1 R Pr[ E ′ 2 ] /p + n 1 k X n 2 =1  R − 1 R  n 2 − 1 k X n 3 =1  R − 1 R  n 3 ! < p R 2 k X n 1 =1  R − 1 R  n 1 − 1  R Pr[ E ′ 2 ] /p + n 1 R ( R − 1)  22 < p R 2  R 2 Pr[ E ′ 2 ] /p + R 3 ( R − 1)  = p (3 R − 1)( R − 1) . In general, for E ′ i , w e ha v e the r ecurrence Pr[ E ′ i ] ≤ p R i − 1 k X n 1 =1  R − 1 R  n 1 − 1  R i − 2 Pr[ E ′ 2 ] /p + n 1 R i − 2 ( R − 1)  < Pr[ E ′ i − 1 ] + pR ( R − 1) , whic h when solv ed yields Pr[ E ′ i ] < p ( iR − 1)( R − 1) . No w summing up the probabilit y of f ailure for eac h of th e w -bit blo c ks of hiddentext giv es l X i =1 Pr[ E ′ i ] < p ( R − 1) l X i =1 ( iR − 1) = p ( R − 1) R l X i =1 i − l X i =1 1 ! = p ( R − 1)  Rl ( l + 1) 2 − l  = p  R 2 2  ( l + 1) l −  R 2  ( l + 3) l + l  . Next, w e compute the probabilit y of the eve nt th at the enco ding of blo c k m i fails because there w ere k unsuccessful attempts to ﬁnd a str in g of n co vertexts wh ic h ev aluates to m i under G , given that no collisions o ccurred so f ar. Call this ev en t ˆ E i . T hen Pr[ ˆ E i ] <  R − 1 R  k : Finally , w e compute the total probabilit y of failure whic h is at most the sum of the E ′ i and ˆ E i ev ents. T hat is, the probab ility that SE 2 outputs “F ail” while enco ding an y of the l w -bit b locks of m i of m is at most l X i =1 Pr[ E i ] < l X i =1 Pr[ E ′ i ] + Pr[ ˆ E i ] < p  R 2 2  ( l + 1) l −  R 2  ( l + 3) l + l  + l  R − 1 R  k . The statistical diﬀerence is at most jus t t wice this amount. Lemma 5. The statistic al diﬀer enc e b etwe en the output distributions of SE 2 and SE 3 for a r andom function G and hiddentext message m ∈ { 0 , 1 } lw is zer o. 23 Pr o of. Both SE 2 and SE 3 ab ort and output “F ail” whenev er th e enco ding a b lock m i fails. This o ccurs b ecause either: (1) there are k un successful attempts to ﬁnd s i,j suc h that G ( s i,j ) = m i ; or (2) the same do cument is dra wn t wice, i.e., there is a collision b et ween candidate co vertext do cumen ts. Hence, SE 2 ev aluates G at most once on eac h elemen t of Σ. So, although SE 3 ignores G and creates its o wn random function b y ﬂippin g coins at eac h ev aluation, since no elemen t of Σ will b e re-assigned a n ew v alue, the output distributions of SE 2 and SE 3 are iden tical. Lemma 6. The statistic al diﬀe r enc e b etwe en the output distributions of SE 3 and SE 4 is e qual to the statistic al diﬀer enc e b etwe en the output distributions of SE 1 and SE 2 use d to enc o de the same message. Pr o of. As Lemm a 4 sho ws, the prob ab ility that SE 2 (and consequently SE 3 b y Lemma 5) outpu ts “F ail” is at most  R 2 2  ( l + 1) l −  R 2  ( l + 3) l + l  + l  R − 1 R  k . Note th at SE 4 has no suc h elemen t; the pr obabilities of eac h output other that “F ail” can only increase. Hence, the total statistical diﬀerence is t w ice the probabilit y of “F ail.” These three Lemmas, pu t together, conclude the p ro of of the Theorem. W e can sav e a factor of t wo in the statisti cal diﬀerence b y the follo wing observ ation. Half of th e statistical d iﬀerence b et ween t he outputs o f SE 1 and SE 2 , as well a s b et ween the outputs o f SE 3 and SE 4 , is d ue to the probabilit y of “ F ail”. Because neither SE 1 nor SE 4 output “F ail,” the statistical diﬀerence b et ween the distribu tions they pro duce is therefore only half of the sum of the statistical d iﬀerences. Theorem 5. The ste gosystem STL has unr eliability UnRel SS STL( κ,w ,k ) , C ,l ≤ l  2 w exp h − 2 h − 2 w − 1 i + exp  − 2 − w − 1 k   + InSec PRF F ( κ ) ( t, d, l 2 w ) , wher e t and d ar e the exp e cte d running time and description size, r esp e c tiv ely, of the ste go enc o der and the ste go de c o der c ombine d. Pr o of. As usu al, w e consider unr eliabilit y if the enco der is using a truly random G ; th en, for a pseudorand om F , the enco der and deco der will act as a distinguisher for F (b ecause wh ether something wa s enco ded correctly can b e easily tested b y the deco der), whic h account s for the InSec P RF term. The stegoenco der fails to enco de p rop erly when it cannot ﬁ nd s i,j suc h that G ( s i,j ) = m i after k attempts. W e will consider separately the case wh ere G is simp ly unlikely to h it m i and where G is reasonably like ly to hit m i , bu t th e samples from the channel are j ust unlucky for k times in a ro w. T o b ound the pr obabilit y of failure in the ﬁrst case, ﬁx some c han n el h istory H and w -bit message m and consider the probabilit y o ver G that G ( D H ) is so s kew ed that the we igh t of G − 1 ( m ) in D H is less c 2 − w for some constan t c < 1 (note that the exp ecte d weig ht is 2 − w ). F ormally , consider Pr G [Pr s ← D H [ G ( s ) = m ] < c 2 − w ]. Let Σ = { s 1 . . . s n } b e the alphab et, and let Pr D H [ s i ] = p i . Deﬁne the rand om v ariable X i as X i = 0 if G ( s i ) = m and X i = p i otherwise. Then the w eigh t 24 of G − 1 ( m ) equals Pr s ← D H [ G ( s ) = m ] = 1 − P n i =1 X i . Note that the exp ected v alue, o ver G , of P n i =1 X i is 1 − 2 − w . Usin g Ho eﬀding’s inequalit y (Th eorem 2 of [10]), we obtain Pr G [1 − n X i =1 X i ≤ c 2 − w ] ≤ exp " − 2(1 − c ) 2 2 − 2 w / n X i =1 p 2 i # ≤ exp " − 2(1 − c ) 2 2 − 2 w / 2 − h / n X i =1 p i # = exp h − 2(1 − c ) 2 2 h − 2 w i , where the second to last step follo ws f r om p i ≤ 2 − h and the last step follo ws from P n i =1 p i = 1. If w e n o w set c = 1 / 2 and tak e th e un ion b ound o ver all messages m ∈ { 0 , 1 } w , w e get that th e probabilit y that G is skew ed for at least one message is at most 2 w exp  − 2 h − 2 w − 1  . T o b ound the probability of failure in the second case, assu me that G ( D H ) is not so sk ew ed. Then th e pr obabilit y of failure is (1 − c 2 − w ) k ≤ exp  − c 2 − w k  . The result follo ws fr om setting c = 1 / 2 and taking the union b ound o ver l . Ac kn o wledgmen ts W e are grateful to Nic k Hopp er for clarifying r elate d work and to anon ymous referees for their helpful commen ts. The authors were sup p orted in part by the National Science F oundation u nder Grant No. CCR- 03114 85. Scott Ru ssell’s w ork w as also facilitated in p art b y a National Physical Science Consortium F ello wship and by stip end supp ort from th e National S ecur it y Agency . References [1] Mic hael Bac k es and C hristian Cachin. Pub lic-k ey steganograph y with activ e attac ks. In Jo e Kilian, editor, Se c ond The ory of Crypto gr aphy Confer enc e — TCC 2005 , volume 3378 of L e ctur e Notes in Comp uter Sci enc e , pages 210–226. S pringer-V erlag, 2005. [2] B. Blo om. Space/time tradeoﬀs in hash co ding with allo wable errors. Communic ations of the ACM , 13(7) :422–42 6, July 1970. [3] A. Bro der and M. Mitzenmac her. Net w ork applications of bloom ﬁlters: A surv ey . I n Pr o c e e d- ings of the F ortieth Annual Al lerton Confer enc e on Communic ation, Contr ol and Computing , 2002. [4] C. Cac hin. An information-theoretic mo del for steganograph y . In Se c ond Internation Workshop on Informatio n Hiding , volume 1525 of L e ctur e Notes in Computer Scienc e , pages 306 –316, 1998. [5] Nenad D edi ´ c, Gene Itkis, Leonid Reyzin, and Scott Russell. Upp er and lo wer b oun ds on blac k- b o x s teg anography . In Jo e Kilian, ed itor, Se c ond The ory of Crypto gr aphy Confer enc e — TCC 2005 , volume 3378 of L e ctur e Notes in Computer Scienc e , pages 227 –244. Sp ringer-V erlag, 2005. 25 [6] Bert F ristedt and La w r ence Gra y . A M o dern Appr o ach to Pr ob ability The ory . Bi rkh¨ au s er, 1997. [7] Od ed Goldreic h, S haﬁ Goldw asser, and Silvio Micali. H o w to construct random fu nctions. Journal of the ACM , 33(4):7 92–807 , Octob er 1986. [8] Od ed Goldreic h , Shaﬁ Goldw asser, and Asaf Nus s b oim. On the implemen tation of h uge r an- dom ob jects. In 44th A nnual Symp osium on F oundations of Computer Scienc e , pages 68–79, Cam bridge, Massac husetts, Octob er 2003. IEEE. [9] J. H ˚ a stad, R. Impagliazzo, L.A. Levin, and M. L ub y . Constr u ction of pseudorandom generator from an y one-w ay function. SIAM Journal on Computing , 28(4): 1364–1 396, 1999. [10] W. Ho eﬀding. Probabilit y inequ alit ies for su ms of b ounded random v ariables. Journal of the Americ an Statistic al Asso ciation , 58(301 ):13–30 , Marc h 1963. [11] N. Hopp er, J. Langford, and L. v on Ahn. Prov ably secure steganograph y . T echnical Rep ort 2002/ 137, Cryp tolo gy e-print arc h iv e, http: //eprint.iac r.org , 2002. Preliminary v ersion in Crypto 2002. [12] Nic holas J. Hopp er. T owar d a The ory of Ste gano gr aphy . PhD thesis, Carnegie Mellon Univer- sit y , Pittsbur gh, P A, USA, July 2004. Av ailable as T ec hnical Rep ort CMU-CS-04-157. [13] Lea K issner, T al Malkin, and Omer Reingold. Priv ate communicatio n to N. Hopp er, J. Lang- ford, L. v on Ahn, 2002. [14] T ri V an Le. Eﬃcien t pr o v ably secure public ke y stega nography . T ec hnical Rep ort 2003/156, Cryptology e-print arc hiv e, ht tp://eprint. iacr.org , 2003. [15] T ri V an Le and K aoru Kurosa wa. Eﬃ cien t public k ey s teganography secure agai nst adap- tiv ely chosen stegotext attac ks. T ec h nical Rep ort 2003 /244, Cryptology e-print arc h iv e, http://e print.iacr.o rg , 2003. [16] Rob ert J. McEliec e. The The ory of Informatio n and Co ding . Camridge Universit y Press, second ed ition, 2002. [17] Leonid Reyzin. A Note On the Statistical Diﬀerence of Small Direct Pro ducts. T echnical Rep ort BUCS-TR-2004-0 32, CS Departmen t, Boston Universit y , Septem b er 21 2004. Av ailable from http://w ww.cs.bu.edu /techreports/ . [18] Luis von Ahn and Nic holas J . Hopp er. Public-k ey steganog raphy . In C hristian Cac h in and Jan Camenisc h , editors, A dvanc es in Cryp tolo g y—E UR OCR YPT 2004 , v olume 3027 of L e ctur e Notes in Computer Scienc e . S pringer-V erlag, 2004. A On Using Public ε -Biased F unctions Man y stegosyste ms [11, 18, 1 ] (particularly p ublic-k ey ones) u se the follo w ing approac h: they en- crypt the hiddentext using encr y p tion that is indistinguish able from random and then use rejec tion sampling with a public fun ctio n f : Σ → { 0 , 1 } w to stegoenco de the r esulting ciph ertext. 26 F or securit y , f shou ld ha v e small bias on D H : i.e., f or eve ry c ∈ { 0 , 1 } w , Pr s ∈ D H [ s ∈ f − 1 ( c )] should b e close to 2 − w . It is commonly suggested that a universal h ash fu nction with a pub lished seed (e.g., as part of the pu b lic k ey) b e used f or f . Assume that the stegosystem h as to work with a memoryless channel C , i.e., one for wh ic h the distribution D is the same regardless of history . Let E b e the distribution indu ced on Σ by the follo wing pro cess: c ho ose a r andom c ∈ { 0 , 1 } w and then k eep c h oosing s ∈ D until f ( s ) = c . Note that the statistical diﬀerence b et ween D and E is exactly the bias ε of f . W e are inte rested in the statistica l diﬀerence b etw een D l and E l . F or a unive rsal hash fu n ction f that m aps a distribution of min-en tropy h to { 0 , 1 } w , the bias is roughly ε = 2 ( − h + w ) / 2 . As sho wn in [1 7], if l < 1 /ε (whic h is rea sonable to assume here), statistical diﬀerence b et w een D l and E l is roughly at least √ lε . Hence, the approac h b ased on public hash fun ctio ns results in statistical insecur ity of ab out √ l 2 ( − h + w ) / 2 . 27

Upper and Lower Bounds on Black-Box Steganography

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment